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INTRODUCTION 
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Y Every single day we handle malware samples that use several known packers such as 
ASPack, Armadillo, Petite, FSG, UPX, MPRESS, NSPack, PECompact, WinUnpack and so on. 
For most of them, it is easy to write scripts to unpack them. 


ν΄ We also know the main API functions, which are used to create and allocate memory 
such as: 


ν΄ VirtualAlloc/Ex( ) 

ν΄ HeapCreate( ) / RtlCreateHeap( ) 
Y HeapReAlloc( ) 

У GlobalAlloc( ) 

ν΄ RtlAllocateHeap( ) 


ν΄ Additionally, we know how to unpack them using debuggers, breakpoints and dumping 
unpacked content from memory. Furthermore, pe-sieve from Hasherezade is excellent. 


© 


Y When we realize that the malware use some customized packing techniques, it is still 
possible to dump it from memory, fix the ImageAddress field using few lines in Python 
and its respective IAT using impscan plugin to analyze it in IDA Pro: 


Y export VOLATILITY_PROFILE=Win7SP1x86 
V python vol.py -f memory.vmem procdump -p 2096 -D . --memory (to keep slack space) 


v python vol.py -f memory.vmem impscan --output=idc -p 2096 
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/ΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗ͂ 
// FleName : dumpexe.txt (first draft) 

// Comment : Dump memory segments containing executables 

// Author : Alexandre Borges 

// Date : today 
/ΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗΗ 


entry: 


msg "Program to dump modules containing executables." 
msg "You must be at EP before continuing" 


bc // Clear existing breakpoints 

bphwc // Clear existing hardbreakpoints 

bp VirtualAlloc // Set up a breakpoint at VirtualAlloc 

erun // run and pass all first exceptions to the application 
core: 

sti // Single-step 

sti // Single-step 

sti // Single-step 

sti // Single-step 


sti // Single-step 
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mpeax | // test if eax (no allocated memory) is equal to zero - 


je pcode // jump to pcode label 
bpm eax,0,x // set executable memory breakpoint and restore it once hit. 
erun // run and pass all first exceptions to the application 


//try to find if there is the "This program" string within the module's memory. 
findall Sbreakpointexceptionaddress,"546869732070726F6772616D" 


cmp Sresult,O // check if there isn't any hit 

je pcode // jump to pcode label 

Sdumpaddr = mem.base(Sbreakpointexceptionaddress) ^ //find the memory base. 

55126 = mem.size(Sbreakpointexceptionaddress) //find the size of memory base. 
savedata :memdump:,Sdumpaddr,Ssize //dump the segment. 

msgyn "Memory dumped! Do you want continue?" //show a dialog 

cmp Sresult,1 //check your choice 

je scode // jump to scode label 

рс // clear existing breakpoints 

bphwc // clear existing hardware breakpoints 


ret // exit 
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x64dbg 


pcode: script 3/3 
msgyn "There isn't a PE file! Do you want continue?" 

стр Sresult,O // check if we don't want continue 

je final 

sti //single step. 

erun // run and pass all first exceptions to the application 

jmp core // jump to core label 

scode: 


msg "Let's go to next dump" // shows a message box 


erun // run and pass all first exceptions to the application 
jmp core // jump to core label 

final: 

bc // clear existing breakpoints 

bphwc // clear existing hardware breakpoints 


ret // exit 
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ANTI-REVERSING 
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v Obfuscation aims to protect software of being reversed, intellectual property and, 
in our case, malicious code too. @ Honestly, obfuscation does not really protect 
the program, but it can make the reverser's life harder than usual. 


ν΄ Thus, at end, obfuscation buys time by enforcing reversers to spend resources and 
time to break a code. 


ν΄ We see obfuscated code every single day when we analyze commom userland 
malware, droppers written in VBA and Powershell, so it mightn't seem to be a big 
deal. 


Y We can use IDA Pro SDK to write plugins to extend the IDA Pro functionalities, 
analyze some code and data flow and even automatizing unpacking of strange 
malicious files. 


v Additionally, if you are facing problems to analyze a modified MBR, so you could 
even write a loader to load the MBR structure and analyze it in IDA Pro. & 


Y Unfortunately, there are packers and protectors such as VMprotect, Themida, 
Arxan and Agile .NET that use modern obfuscation techniques, so making the 
procedure of reversing a code very complicated. 
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У Most protectors have used with 64-bit code (and malware). 


v Original IAT is removed from the original code (as usually applied by any 
packer). However, IAT from packers like Themida keeps only one function 
(TlsSetValue). 


ν΄ Almost all of them provide string encryption. 
Y They protect and check the memory integrity. Thus, it is not possible to 
dump a clean executable from the memory (using Volatility, for example) 


because original instructions are not decoded in the memory. 


ν΄ Instructions (x86/x64 code) are virtualized and transformed into virtual 
machine instructions (RISC instruction). 


v ΝΕΤ protectors rename classes, methods, fields and external references. 


DEF CON CHINA 1.0 (2019) 


ALEXANDRE BORGES — MALWARE AND SECURITY RESEARCHER 


У Some packers can use instruction encryption on memory as additional 
memory layer. 


v Obfuscation is stack based, so it is hard to handle virtualized code 
statically. 


ν΄ Virtualized code is polymorphic, so there are many representations 
referring the same CPU instruction. 


ν΄ There are also fake push instructions. 

ν΄ There are many dead and useless codes. 

Y There is some code reordering using unconditional jumps. 
ν΄ All obfuscators use code flattening. 


ν΄ Packers have few anti-debugger and anti-vm tricks. However, few months 
ago, | saw a not so common anti-vmware trick based on temperature 
oer OMAK ароит it later). 
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“Virtualizer” 
(bytecodes) 


vm. call 1(opcodes, х) 


int defcon(int x) 


Fetches bytes, decodes 
them to instructions and 
dispatches them to handlers 


** Protectors using virtual machines introduces into the obfuscated code: 


Y Acontext switch component, which "transfers" registry and flag information into VM 
context (virtual machine). The oposite movement is done later from VM machine 
and native (x86/x64) context (suitable to keep within C structures during unpacking 
process @) 


Y This "transformation" from native register to virtualized registers can be one to one, 
but not always. 


Y Inside of the virtual machine, the cycle is: 


ν΄ fetch instruction 

ν΄ decode it 

У find the pointer to instruction and lookup the associate opcode in a handler table 
ν΄ call the target handler 
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ν΄ Few interesting concepts: 


ν΄ Fetching: the instruction to be executed by Virtual Machine is 
fetched. 


Y Decoding: the target x86 instruction is decoded using rules from 
Virtual Machine (remember: usually, the architecture is usually 
based on RISC instructions) 


Y Dispatcher: Once the handler is determined, so jump to the suitable 
handler. Dispatchers could be made by a jump table or switch case 
structure. 


ν΄ Handler: In a nutshell, a handler is the implementation of the Virtual 
Machine instruction set. 


13 
DEF CON CHINA 1.0 (2019) 


ALEXANDRE BORGES — MALWARE AND SECURITY RESEARCHER 


ВУА Ə RVA + process base 


address and other tasks. 
А 


Fetch 


Decode j 
1 


Instructions are stored in 
an 
encrypted format. 


A, B, C, ... are handlers such as 
-> handler add, handler sub, 
handler push... 
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| ang. fe . Ὑ 
mm Initialization ший 


Instruction 


Instruction 
decoder 


Opcodes from a custom 
instruction set. 
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= b h decrypted 
vm_a vm_su vm xor vm m vm = vm_n instruction 


5 


I 4 encrypted 
encr_ encr_ encr_ encr_ encr : encr n instruction 
S 


recovering and 
decrypting funcions 


indexes 


opcode 1 ης function pointer Ί mamme 
opcode 2 gamma function pointer 2 шашинд 
opcode 3 шд functionpointer3 μα. 
opcode 4 раи 


opcode 6 mamma function pointer6 jue 


_ opcode7 MEM function pointer 7 mamme 


function pointer table 
(likely encrypted) 
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Y |5 it easy to reverse virtualized and packed code? Certainly, it is not. 
The number of challenges might be huge © 


У Remember: obfuscating is transforming a code from A to B by using 
any tricks (including virtualization). 


у |t is not so easy to identify whether the program is virtualized or 
not. 


v Handlers, which are independent of one each other, usually set up: 


У registers 
Y aencryption key 
У memory 
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Y There is usually one handler by instruction type. 


Y These handlers are "started" by the VM dispatcher. 


Y Instructions’ operands are encrypted using keys (initializing code) 
provided by handlers. 


У Sometimes, keys have 4 bytes and are xor'ed with operands. 9 


ν΄ Prologues and epilogues from each function could be not 
virtualized. Take care. & 
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Y Have you tried to open the packer in IDA Pro? First sight: only red 
and grey blocks (non-functions and data). 


Y Eventually, data blocks could hold VM handlers... 


Y Original code section could be “splitted” and "scattered" around 
the program (data and instructions are mixed in the binary, without 
having just one instruction block) 


Y |nstructions which are referencing import functions could have 
been either zeroed or replaced by NOP. Ө Most certainly, they will 
be restored (re-inserted) dynamically by the packer later. 


Y The "hidden" function code could be copied (memcpy( )) to 
memory allocated by VirtualAlloc( ) @ Of course, there must be a 
fixup in the code to get these instructions. 
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У Custom packers usually don't virtualize all х86 instructions. 
ν΄ |t is common to see a kind of mix between virtualized, native 


instructions and data after the packing procedure. 


v Native APIs could be redirected to stub code, which forwards the 
call to (copied) native DLLs (from the respective APIs). 


v АРІ call instructions, which would make direct references to the IAT, 
are usually translated to short jumps using RVA, for the same 
import address (“IAT obfuscation") 9 


v Worse, the АРІ names could be hashed (as used in shellcodes). © 
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ν΄ Ву the way, how many virtualized instructions exist? 


Y Are we able to classify virtualized instructions in groups according 
to operands and their purpose (memory access, arithmetic, 
general, an so on)? 


У Pay attention to instruction's stem to put similar classes of 
instructions together (for example, jump instructions, direct calls, 
indirect calls and so on). 


v Are virtualized instructions based (similar) to x86 instructions? 


v Have the processor flags's meaning been modified? 
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v What are the “key instructions” that are responsible to make the 
transition from x86 mode to "virtualized mode"? 


Y Remember: usually, registers and flags (EFLAGS) are saved onto the 
stack before "crossing over" to the VM environment. 


Y What are the responsible instructions to transfer the control back 
to the x86 world? 


Y Most of the time, during the "context transition", parameters are 
pushed on the stack. & 
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Y The VM interpreter code, which is responsible for translating x86 
instructions to VM instructions, is usually obfuscated. 


Y The own VM instructions are also compressed and encrypted (xor'ed, 
mostly) 


ν΄ As l've mentioned previously, usually there аге many VM instruction codes 
to only one x86 instructions. 


ν΄ There are two stacks: one from x86 land and another from VM land. 


ν΄ Stack from virtualized context may grow upward, different from x86 
standard. 


ν΄ Sometimes, the protector doesn’t copy the x86 context into the Virtual 
Machine. In this case, it prefers to save the context (registers content + 
flag) to use later. 
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ν΄ |t is interesting to find out the УМ instructions size, which we might 
fit into a structure that represents encryption key, data, RVA 
(location), opcode (type) and so on. 


ν΄ Ας custom virtualized packers don't have a virtualized instruction to 
every single x86 instruction, so it is recommended to find handlers 
to native x86 instructions (non-virtualized instruction) 


v Usually, handlers to non-virtualized instructions exit from VM 
environment from a short period, execute the x86 instruction and 
return to the virtual machine environment. 


Y In this case, x86 instructions are also kept encrypted and 
compressed together with the virtualized instructions. 
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v Constant unfolding: technique used by obfuscators to replace a contant 
by a bunch of code that produces the same resulting constant's value. 


У Pattern-based obfuscation: exchange of one instruction by a set of 
equivalent instructions. 


Y Abusing inline functions. 


Y Anti-VM techniques: prevents the malware sample to run inside a VM. 


У Dead (garbage) code: this technique is implemented by inserting codes 
whose results will be overwritten in next lines of code or, worse, they 
won't be used anymore. 


У Code duplication: different paths coming into the same destination (used 


by virtualization obfuscators). 
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v Control indirection 1: call instruction > stack pointer update > 
return skipping some junk code after the call instruction (RET x). 


У Control indirection 2: malware trigger an exception > registered 
exception is called > new branch of instructions. 


v Opaque predicate: Although apparently there is an evaluation 
(conditional jump: jz/jnz), the result is always evaluated to true (or 
false), which means an unconditional jump. Thus, there is a dead 
branch. 


Y Anti-debugging: used as irritating techniques to slow the process 
analysis. 


Y Polymorphism: it is produced by self-modification code (like 
shellcodes) and by encrypting resources (similar most malware 
samples). 
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y Call stack manipulation: Changes the stack flow by using 
instruction tricks composed with the ret instruction, making the 
real ret hidden. 


Y |sit possible to deobfuscate virtualized instructions? Yes, it is 
possible using reverse recursive substitution (similar -- not equal -- 
to backtracking feature from Metasm). 


Y Additionally, symbolic equation system is another good approach 
(again...., Metasm and МІАЅМ!). 


Y There are many good plugins such as Code Unvirtualizer, 
VMAttack, VMSweeper, and so on, which could be used to handle 
simple virtualization problems. 


У Some evolution of the instruction virtualizers has risen using 
simple and efficient concepts of crytpography as Substitution 
Boxes (S-Boxes). 
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ν΄ |t is quick to create a simple IDA Pro plugin. Download the IDA SDK from https:// 
www.hex-rays.com/products/ida/support/download.shtml (likely, you will need a 
professional account). Copy it to a folder (idasdk695/) within the IDA Pro 
installation directory. 


У Create a project in Visual Studio 2017 (File > New > Create Project > Visual C++ 
> Windows Desktop > Dynamic-Link Library (DLL)). 


ν΄ Change few project properties as shown in this slide and next ones. 


4 Configuration Properties OOK Tor Options ог switches: 
Genera! 
Debugging 


з, 


Additional #using Directories 

Additional Include Directories C:\Program Files (x86)\IDA 6.95\idasdk695\include 
Additional Options 

ASM List Location $(IntDir) 

Assembler Output No Listing 

Basic Runtime Checks Both (/RTC1, equiv. to /RTCsu 

Browse Information File $(IntDir) 

C++ Language Standard 

Advanced Calling Convention _stdcall (/Gz) 


All Options Common Language RunTime Support 


Browse Information 


Command Line Compile As Default 


Р Linker Conformance mode Yes (/permissive-) 
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ν΄ Include the “ 


O NT ; IDP "inf 


Library to “Multi-threaded” (MT) (take c care: 


4 Configuration Properties 
General 
Debugging 
VC++ Directories 


Genera 
Optimization 
Preprocessor 
Code Generation 
Language 
Precompiled Headers 
Output Files 
Browse Information 
Advanced 
All Options 
Command Line 
Linker 
> Manifest Tool 
> XML Document Generator 
> Browse Information 
> Build Events 
Custom Build Step 
> Code Analysis 
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ook for options or switches: 


Omit Frame Pointers 

Open MP Support 

Optimization 

Precompiled Header 

Precompiled Header File 
Precompiled Header Output File 
Preprocess Suppress Line Numbers 
Preprocess to a File 

Preprocessor Definitions 

Program Database File Name 
Remove unreferenced code and data 
Runtime Library 

SDL checks 

Security Check 

Show Includes 

Smaller Type Check 

Spectre Mitigation 

Struct Member Alignment 
Support Just My Code Debugging 
Suppress Startup Banner 

Treat Specific Warnings As Errors 
Treat Warnings As Errors 


and change Runtime 
it is NOT /MTd). 


No (/Oy-) 


Disabled (/Od) 
Not Using Precompiled Headers 
stdafx.h 
$(IntDir)$(TargetName).pch 
No 
No 

NT ; IDP 
$(IntDir)vcS(PlatformToolsetVersion).pdb 


; IMBCS;%(PreprocessorDefinitions); 


Yes (/Zcinline) 
Multi-threaded (/MT) 

Yes (/sdl) 

Disable Security Check (/GS-) 
No 

No 

Disabled 

Default 

Yes (/ЈМС 

Yes (/nologo) 


No (/WX- 
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ν΄ Add ida.lib (from C:\Program Files (x86)\IDA 6.95Nidasdk695NibWNx86 міп νο 32) 
to Additional Dependencies and its folder to Additional Library Directories. 


У Add to Additional Options. 


4 Configuration Properties Look for options or switches: 


General 
Debugging 
VC++ Directories - e, 


] 
> C/C++ 
1 Add Module to Assembly 
Linker : 


бичин Additional Dependencies ida.lib;kernel3 2.lib;user32.lib;gdi32.lib;winspool.lib;comdlg3 2.lib;advapi: 
Additional Library Directories C:\Program Files (x86)\IDA 6.95\idasdk695\lib\x86_win_vc_32 
Additional Manifest Dependencies 

Additional Options /EXPORT:PLUGIN %(AdditionalOptions) 

Allow Isolation Yes 


Input 
Manifest File 
Debugging 
System 
Optimization 
Embedded IDL Base Address 
Windows Metadata CLR Image Type Default image type 
Advanced CLR Thread Attribute 
CLR Unmanaged Code Check 
Command Line Create Hot Patchable Image 
> Manifest Tool Data Execution Prevention (DEP) Yes (/NXCOMPAT) 
> XML Document Generator Debuggable Assembly 
Browse Information Delay Loaded 0115 
> Build Events Delay Sign 
Custom Build Step Driver Not Set 
> Code Analysis Embed Managed Resource File 
Enable COMDAT Folding 
Enable Incremental Linking Yes (/INCREMENTAL) 
Enable Large Addresses 
Enable User Account Control (UAC) Yes (/MANIFESTUAC:) 


Assembly Link Resource 
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Output File 
The /OUT option overrides the default name and location of the program that the linker creates. 
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1 sfinclude <ida.hpp> 
2 #include <idp.hpp> 
2 4 iod. Me Mer rael Зи Don't forget necessary headers. @ 
5 #include «strlist.hpp» 
6 #include <search.hpp> 
7 
: aint ШАР initO-——! Initialization function. 
t { return PLUGIN. KEEP; Make the plugin available to this idb and keep the plugin 
12 } ! loaded in memory. 
13 
22 avoid ТОАР term(void) «———— Clean-up tasks. 
16 
17 H 
18 


19 void IDAP run(int arg) —— Function їо be called when user activates the 


lugin. 
21 | msg("Hello DEFCON CHINA! ме love IDA Pro :)\n\n"); 
22 
2321 char defcon[MAXSTR] ; 
24 string_info_t strinfo; 
25 char s[] = "[a-zO- -9)+ÍN. 741, } [a-zA-Z0-9_-]+[\. ]{1, } [a-z]{2,}"; 
26 auto last = BADADDR 
27 auto ea = 0; 


Simple (and incomplete) URL regex. 


28 auto urlcount = 1; © 
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Ww 
о 
[й— 


A 
= 
m 


51 } 


53 char 
54 char 
55 char 
56 char 


58 plug 
59 af 


69 1; 
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for (int x = 0; х < get_strlist_qtyQ; х++) { It gets the number of 


get_strlist_item(x, &strinfo); strings from “Strings 
1f (strinfo.length < sizeof(defcon)) í » 


get many bytes(strinfo.ea, defcon, strinfo. length); 


: It gets the string. 
ea = 0; 
ea - find text(strinfo.ea, 0, 0, s, SEARCH REGEX) ; 
if (ea == strinfo.ea) 4 
msg("Address Ox%x - #RL Χά: %s\n", strinfo.ea, urlcount, defcon); 
urlcount++; 
} "x | 
} The core logic is only it. It checks 
} whether the string matches to the 
} 
URL regex. 
return; 
If checks, so ea == strinfo.ea. © 
IDAP_comment[] = "The simplest possible plugin"; : : E 
IDAP help[] = "DEFCON plugin"; Plugin will be activated by 
IDAP_name[] = "DEFCON plugin"; combination ALT-X. @ 


IDAP hotkey[] - "ALT-X"; 
in τ PLUGIN = 


IDP. INTERFACE, VERSION, 


"m Plugin structure. 
IDAP. comment А 

IDAP help, 

IDAP. name, 

IDAP hotkey 


2019) 
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Function name 


sub_99F8D000 
sub_99F8D010 
sub_99F8D0F0 
sub_99F8D1A0 
sub_99F8D380 
sub_99F8D3B0 
sub_99F8D430 
sub_99F8D4A0 
sub_99F8D5A0 
sub_99F8D650 
sub_99F8D680 
sub_99F8D6A0 


; File Name 


; Uirtual size 
; Section size in file 
; Offset to raw data for section: 00000400 
; Flags 60000020: Text Executable Readable 
; Alignment 


: C:\UMs\driver .99f8c000. sys 


; Format : Portable executable for 80386 (PE) 
Imagebase : 99Е8С000 

; Timestamp ЧЕЧЗЯАСС (Thu Aug 11 10:11:24 2011) 

; Section 1. foirtual address 00001000) 


: 00009898 ( 39066.) 
: 00009000 ( 39424.) 


: default 


include uni.inc 


ος .model flat 


sub 99F8D830 
sub 99F8D910 
sub 99F8D950 
sub 99F8D970 
ги си 1 
Line 1 of 206 


ΕΙ Output window 


00000400| 99F8D000: sub. 99ЕВО000| (Synchronized with Hex View-1)| 


Hello DEFCON CHINA! We love IDA Pro :) 


Address Ox99f990d8 URL 
Address Ox99f990eb URL 
Address Ox99f990f6 URL 
Address 0x99f991045 URL 
Address 0x99f99112 URL 
Address 0x99f99120 URL 


ntp2.usno.nauy.mil 

ntp.adc.am 

tock.usask.ca 

ntp.crifo.org 

ntpl.arnes.si 

шоо URLs found within this malicious driver. 

ntp.duckcorp.org 

WwWU.nist.gou © 

clock.isc.org 
time.windous.com 
time2.one4vision.de 
time.cerias.purdue.edu 

: clock. fihn.net 


Address 0x99f9912d URL 
Address 0x99f9913e URL 
Address 0x99f991b URL 
Address 0x99f99159 URL 
Address 0x99f9916a URL 
Address 0x99f9917e URL 
Address 0x99f99195 URL 


оомо ил Бо N — 


— 


ALT + X 
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Y |DA processor modules continue being 
the one of best approach to handle 
virtualized packers. 


ν΄ Please, you should remember on few 
important points (as mentioned by Ilfak 
from Hex-Rays) about how to write an IDA 
processor modules: 


Y write a 
analyser 


Y Modify (or 
Processor write) an 


Module emulator 


Y write a 
outputter 


Y The IDA Pro SDK documentation and 
samples are always great. © 
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» decodes instructions and 


fill structures with the 
result (ana.cpp) 


processes the commands 
decoded by analyser 
(amu.cpp) 


creates cross-references. 


tracks the register content. 


tracks the register content. 


Writes the output a 
handled output 
containing prefix, 
comments and xrefs 


(out.cpp) 
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Y This technique is used to 
hide the real control 
flow of a program. 


Y |na general way, the 
idea is to break the 
control-flow by 
removing if-statements 
and loops, transforming 
the flow in a series of 
switch-case statements. 
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- 
- 
- 
= 
- 
- 
- 
-- 
- 


У Code-flow graph flattening: 


= = T 
- 
- 
- 
- 
= 
- 
- 
- 
БОХ от 
- 


«-----------4J 


ν΄ Thus, there is a dispatcher 
handing over the control 
flow to handlers, which 
each handler updates the 
instruction pointer to the 
value of the next handler 
to be executed (virtualize 
the flow control). 


Y Usually there is an 
invocation stub, which 
makes the transition to 
from native instructions to 
the virtualized instruction. 


-— 
-— 
- 
= 
πα 
- 
- 
- 
_ 
-— 
- 
~ 
-- 


== 
_ 
= 

M m 

= 


Y This approach 


presents two 
reversing problems: 
the mapping can be 
from CISC to RISC 
instruction and the 
original registers can 
be turned into 
special registers 
from VM. 


Because trade-offs, 


CFG is only applied 
to specific functions 
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include «stdio.h» 


Loading libs 


int main (void) 


| aborges = 0 
int aborges = 0; 
while (aborges < 30) 
{ 
printf(“%d\n”, aborges); шаа 
aborges++; aborges++ 
} 
return 0 
return О; 


j 


DEF CON CHINA 1.0 (2019) 


35 


ALEXANDRE BORGES — MALWARE AND SECURITY RESEARCHER 


loading libs 
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aborges = 0 


** Disavantages: 


ν΄ Loss of performance 
ν΄ Easy to identify the CFG flattening 


printf 


aborges « 
aborges++ 
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т Es 


Original Program 
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; int __cdec1 main(int argc, const char xxargu, const char xxenup) 
public main 
main proc near 
uar Ч: dword ptr -#4 
push 
mou 
sub , 10h 
που [ *uar Ч1, 9 
jmp short loc, 675 
Y 
loc 515: 
cmp [ *uar 54], 1Dh 
jle short loc_65B 
| Y 
που 229 
loc_65B: leave 
mou [ *uar ^4] retn 
που main endp 
lea , format 
mov * is) 
call -printf 
add [ *uar Ч, 1 
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ν΄ The obfuscator-llvm is an excellent project to be used for code obsfuscation. To 
install it, it is recommended to add a swap file first (because the linkage stage): 


ν΄ fallocate -| 8GB /swapfile 

ν΄ chmod 600 /swapfile 

У mkswap /swapfile 

ν΄ swapon /swapfile 

Y swapon --show 

ν΄ apt-get install llvm-4.0 

У apt-get install gcc-multilib (install gcc lib support to 32 bit) 

ν΄ git clone -b Ilvm-4.0 https://github.com/obfuscator-Ilvm/obfuscator.git 

ν΄ mkdir build ; cd build/ 

У cmake -DCMAKE BUILD TYPE-Release -DLIVM INCLUDE TESTS-OFF ../ 
obfuscator/ 

ν΄ make -j7 


Y Possible usages: 


v .build/bin/clang alexborges.c -o alexborges -mllvm -fla 
Y .build/bin/clang alexborges.c -m32 -o alexborges -mllvm -fla 
ν΄ .build/bin/clang alexborges.c -o alexborges -mllvm -fla -mllvm -sub 
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YAHDYVASAY ALIYNDJS ANY 38VAWIVIN — 539808 3HONVX31V 
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YAHDYVASAY ALIUNDAS ANY 38VAWTIVIN - 539808 3HONVX31V 
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a 
ш 
т 
Q 
a 
< 
ш 
N 
ш 
a 
> 
E 
a 
2 
O 
ш 
ә 
Q 
2 
< 
ш 
a 
< 
z 
σι 
< 
2 
| 
N 
ul 
o 
a 
o 
a 
ш 
a 
[e] 
2 
< 
>< 
ш 
= 
< 
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int | cdecl main(int argc, const char xxargu, const char »xenup) 
( 

signed int 93, // eax@5 

int v4; // еах88 

__int64 v6; // [rsp*Oh] [rbp-20h]@0 

signed int u7; // [rspt14h] [rbp-Ch]@1 

signed int v8; // [rsp*18h] [rbp-8h]@1 


Ө; 

2118196251; 

while ( 07 t= -803096687 ) © 

( s 
if ( uv? == 900748651 ) Ë 
( | 

оч = printf(" ZdXn", (unsigned int)u8++, enup, 96, 7317960004152066048LL) ; 

07 = 2118196251; 2 

LODWORD(v6) = оч; | 5 


98 
Uf 


) 


else 


HIDUORD(u6) = u? - 2118196251; 
if ( v7 == 2118196251 ) 


03 = -803096687; G 

if ( v8 < 30 ) x 
u3 = 900748651; 

uf = 03; 


Simple opaque predicate and anti-disassembly technique 


.text:00401000 loc_401000: 


Хехїи: 00401000 
Хехи: 00401001 
Хехи 00401003 
Хехи 00401005 
.text:00401007 


.text:0040100D 


.text:0040100D loc 401000: 


.text:0040100D 


Хїехс: 00401000 
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push 
mov 
ХОГ 
jz 
jnz 


jmp 


; CODE XREF: _main+Fp 


ebp 

ebp, esp 

eax, eax 

short near ptr loc_40100D+1 
near ptr loc_40100D+4 


; CODE XREF: .text:00401005j 
; text:00401007j 


near ptr 0D0A8837h 
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Ресгурїеа 
shellcode 


DEF CON CHINA 1.0 (2019) 


seg 866: 66666224 
seg 666: 00000226 
seg 666: 6666622C 
: 66666231 
: 66666231 
: 66666231 
: 66666231 
: 66666231 
: 66666231 
: 66666231 
: 66666231 
: 66666231 
: 66666232 
: 86666233 
: 66666237 
: 66666239 
:8888823R 
:8088823R 
:8080823R 
:80808823C 
:8888823D 
: 66666235 
: 66666241 
: 66666244 
: 66666246 
: 66666248 
: 66666248 
: 66666248 
: 00009024B 
: 6666624D 
: 6666624E 


lodsb 

mou 01, al 
sub d1, 
501 dl, 


lodsb Decryption 


sub al, 
add al, dl 
stosb 

dec j 
jnz short 
retn 


call 


46h 
loc_364 


SUBROUT 


proc near ; CODE XREF: 


loc_23A ; CODE XREF: 


loc_24B 
6Dh 


loc_23A 


loc_24B ; CODE XREF: 


sub 


instructions © 


“23151511 
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00401040 
00401045 
00401046 
00401047 
00401048 
00401049 
0040104А 
0040104В 
0040104С 
0040104D 
0040104E 
0040104F 
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call + S5 
pop ecx 
inc ecx 
inc ecx 
add ecx, 4 
add ecx, 4 
push ecx 
ret 

sub ecx, 6 
dec ecx 
dec ecx 


jmp 0x401320 


** Call stack manipulation: 


Y Do you know what's 
happening here? © 
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МЕТА5М 


(keystone + capstone + unicorn) | 


3 


sub eax, B9 
sub eax, 86 
2 add eax,ecx 
add eax, 86 
sub eax, B9 push edx 
add eax, ecx —— add eax,ecx ——— P mov edx, 42 ------» 
add eax, B9 inc edx 
dec edx 
add edx, 77 
add eax, edx 
pop edx 


1 


How to reverse the obfuscation and, from stage 4, to return 
to the stage 1? @ 
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sub eax, 


bx 
pop ebx 
sub eax, 55 
sub eax, 32 
add eax, ecx 
add eax, 50 
add eax, 37 
push edx 
push ecx 
mov ecx, 49 
mov edx, ecx 
pop ecx 
inc edx 
add edx, 70 
dec edx 
add eax, edx 
pop edx 
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Y METASM works ав disassembler, assembler, debugger, compiler and linker. 


ν΄ Key features: 


V Written in Ruby ν΄ Supports the following file format: 


У Ccompiler and decompiler Y MZ and PE/COFF 


v Automatic backtracking V ELF 
ν΄ Live process manipulation v Mach-O 
ν΄ Supports the following architecture: ν΄ Raw (shellcode) 


ν΄ Intel ΙΑ32 (16/32/64 bits) 
v PPC 
Y MIPS 


root@kali:~/programs# git clone https://github.com/jjyg/metasm.git 
root@kali:~/programs# cd metasm/ 
root@kali:~/programs/metasm# make 
root@kali:~/programs/metasm# make all 


DES SS 


Y Include the following line into .bashrc file to indicate the Metasm directory installation: 


Y export RUBYLIB=SRUBYLIB:~/programs/metasm 
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Зани ruby ** based on metasm.rb ne 
| and Bruce Dang code. 


require "metasm" 
include Metasm 


mycode = Metasm::Shellcode.assemble(Metasm::1a32.new, ««EOB) 


entry: 
push ерх 
mov ebx, 0xb9 
sub eax, ebx 
pop ebx 
sub eax, 0x55 
sub eax, 0x32 
add eax, ecx 
add eax, 0x50 
add eax, 0x37 
push edx 
push ecx 
mov ecx, 0x49 
mov edx, ecx 
pop ecx 
inc edx 
add edx, 0x70 
dec edx 
add eax, edx 
Бас ей» 22222222 This instruction was inserted to make 
EOB the 
eax register evaluation easier. & 
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addrstart = 0 

asmcode = mycode.init_disassembler 

asmcode.disassemble(addrstart) initialize and disassemble 
defcon_di = asmcode. di_at(addrstart) code since beginning (start). 
defcon = defcon_di.block 

puts "Nn<!!!> DEF CON China 1.0:\n " 

puts defcon.list — ч T >> > sƏ,,, — — ——— list the assembly code. 


defcon.list.each(|aborges| 
puts "Nn<!!!> #{aborges.instruction}" 


back = aborges.backtrace binding() «—— initialize the backtracking engine. 


v = back.values 

k back.keys 

) = k.zip(v) 

puts "DEF CON China data flow follows below:Nn" 
j.each do |mykeys, myvalues| 


puts " Processing: #{mykeys} ==> £(myvalues)" 


if aborges.opcode.props[:setip] 
puts "\nDEF CON China control flow follows below:Wn" 
puts " >>> #{asmcode.get_xrefs_x(aborges)}" 


end 
end 
) determines which is the final 


instruction to walk back from there. © 


addrstart2 - 0 
asmcode2 - mycode.init disassembler 
asmcode2.disassemble(addrstart2) 
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dd = asmcode2.block_at(addrstart2) 
final = asmcode2.get_xrefs_x(dd.list.last).first ——ə— Backtracking from the last instruction. 
puts "Nn[+] final output: #{final}" 


values = asmcode2.backtrace(final, dd.list.last.address, {:log => backtracing log = [] , 
:include start => true]) 


backtracing log.each(|record| 
case type - record.first logs the sequence of 


when :start backtracked 
record, expression, addresses - record 


puts "[start] Here is the sequence of expressioW'Sijd&l|g8$ons #{expressi 
on) from Ox#{addresses.to_s(16)}\n" 


when :di 
record, new, old, instruction - record 
puts "[new update] instruction #{instruction},\n --» updating expression 
once again from £(old) to #{new}\n" 


end 


} 


effective = backtracing_log.select{|y| y.first==:di}.map{|y| y[3]}.reverse 
puts "\nThe effective instructions are:\n\n" 
puts effective 


Show only the effective instructions, 
which really can alter the final result. 
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root@kali:~/programs/metasm# ./defcon.rb 


<!!!> DEF CON China 1.0: 


0 push ebx 

1 mov ерх, Ob9h 
6 sub eax, ebx 
8 
9 


sub eax, 55h 


28h 
29h 


sub 
add 
add 
add 


eax, 32h 
eax, ecx 
eax, 50h 
eax, 37h 


push edx 
push ecx 


mov 
mov 
рор 
іпс 
айа 
дес 
айа 
Eon 
jmp 


ecx, 49h 
edx, ecx 
ecx 
edx 
edx, 70h 
edx 
eax, edx 
edx 
eax 


<!!!> push ерх 
DEF CON China data flow follows below: 
Processing: esp ==> esp-4 
Processing: dword ptr [esp] ==> ebx 


«!!!» mov ерх, Ob9h 


Remember: this is our obfuscated code. © 


DEF CON China data flow follows below: 


Processing: ebx ==> 0b9h 
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«!!!» sub еах, ерх 
DEF CON China data flow follows below: 
Processing: ёах ==> eax-ebx 
Processing: eflag_z (((eax&Offffffffh)-(ebx&Offffffffh))&Offffffffh)-- 
Processing: eflag s ((((eax&Offffffffh)-(ebx&Offffffffh))&Offffffffh)»»1fh)!-0 
Processing: eflag c » (eax&Offffffffh)«(ebx&Offffffffh) 
Processing: eflag o > ((((eax&Offffffffh)»»1fh)!'z0)--(!'!(((ebx&Offffffffh)»»51fh)!20))) 
&&((((eax&Offffffffh)»»1fh)!z0)!'-(((((eax&Offffffffh)-(ebx&Offffffffh))&Offffffffh)»»1fh 
)!=0)) 


у 


H H H I 
ὕ "n m M 
ν 


«1!» pop ерх 

DEF CON China data flow follows below: 
Processing: esp ==> esp+4 
Processing: ebx ==> dword ptr [esp] 


<!!!> sub eax, 55h 

DEF CON China data flow follows below: 
Processing: ёах ==> eax-55h 
Processing: eflag_z (((eax&Offffffffh)-((55h)&Offffffffh))&Offffffffh)-- 
Processing: eflag s ((((eax&Offffffffh)-((55h)&Offffffffh))&Offffffffh)»2-1fh)!-0 


~ Wo H MH i 
Vv v v 


= i H H i 


Processing: eflag_c (eax&Offffffffh)«((55h)&Offffffffh) 

Processing: eflag o > ((((eax&Offffffffh)»»1fh)!'z0)--2(!((((55h)&Offffffffh)»»1fh)!-z0) 
))&&((((eax&Offffffffh)»»1fh)!20)!-(((((eax&Offffffffh)-((55h)&Offffffffh))&Offffffffh)» 
»1fh)!z0)) 


«!!!» sub eax, 32h 
DEF CON China data flow follows below: 
Processing: eax --» eax-32h 
Processing: eflag 2 ==> (((eax&Offffffffh)-((32h)&Offffffffh))&Offffffffh)-- 
Processing: eflag s ==> ((((eax&Offffffffh)-((32h)&Offffffffh))&Offffffffh)2-21fh)!-0 
Processing: eflag c ==> (eax&Offffffffh)«((32h)&Offffffffh) 
Processing: eflag о ==> ((((eax&0ffffffffh)>>1fh) !=0)==(!((( (32h) &ӨҒҒҒҒҒҒҒҒһ ) >>1Ғһ) !=0) 
))&&((((eax&0ffffffffh)>>1fh)!=0)!=(((((eax&0ffffffffh)-((32h)&Offffffffh))&0ffffffffh)> 
>1fh)!=0)) 


zug! 
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[+] final output: еах 


[start] Here is the sequence of expression evaluations 


[new 
--» 
[new 
--> 
[new 
--> 
[new 
€ 
[new 
=--> 
[new 
--» 
| пеу/ 
--» 
| пеу/ 
--> 
[new 
--> 
[new 
--» 
| пеу/ 
--> 
[new 
--» 
[new 
--» 


update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
update] instruction 
updating expression 
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26h add eax, edx, 


eax from 0x29 


once again from eax to eax+edx 


25h dec edx, 


once again from eax+edx to eax+edx-1 


22h add edx, 70h, 


once again from eax+edx-1 to eax+edx+6fh 


21h inc edx, 

once again from eax+edx+6fh 
leh mov edx, ecx, 

once again from eax+edx+70h 
19h mov ecx, 49h, 

once again from eax+ecx+70h 
14h add eax, 37h, 

once again from eax+0b9h to 
lih add eax, 50h, 

once again from eax+0f0h to 
Ofh add eax, ecx, 

once again from eax+140h to 
Och sub eax, 32h, 

once again from 
9 sub eax, 55h, 
once again from 
6 sub eax, ebx, 
once again from 
1 mov ерх, Ob9h, 
once again 


to eax+edx+70h 


to eax+ecx+70h 


to eax+0b9h 


eax+0fOh 


еах+140һ 


еах+есх+140һ 


еах+есх+140һ to eax+ecx+10eh 


eax*ecx-lOeh to eax+ecx+O0b9h 


eaxt+ecx+O0b9h to eax-ebx+ecx+O0b9h 


from eax-ebx+ecx+0b9h to еах+есх 
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The effective instructions are: 


1 mov ерх, Ob9h 
6 sub eax, ebx 


9 sub eax, 


Och 


sub 
add 
add 
add 
mov 
mov 
inc 
add 
dec 
add 


eax, 
eax, 
eax, 
eax, 
ecx, 
edx, 
edx 

edx, 
edx 

eax, 


DEF CON CHINA 1.0 (2019) 


55h 


32h 


Output originated from backtracing log.select 
command (in reverse) 


— 
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ν΄ Emulation is always an excellent method to solve practical reverse engineering problems 


and 


, fortunately, we have the uEmu and also could use the Keystone Engine assembler 


and Capstone Engine disassembler. & 


Y Keystone Engine acts an assembler and: 


ν΄ Supports x86, Mips, Arm апа many other architectures. 
Y |tisimplemented in C/C++ and has bindings to Python, Ruby, Powershell and СН 


(among other languages). 


Y Installing Keystone: 


Αν Α.Α Тл 


root@kali:~/Desktop# wget https://github.com/keystone-engine/keystone/archive/0.9.1.tar.gz 
root @kali:~/programs# cp /root/Desktop/keystone-0.9.1.tar.gz . 

root@kali:~/programs# tar -zxvf keystone-0.9.1.tar.gz 
root@kali:~/programs/keystone-0.9.1# apt-get install cmake 
root@kali:~/programs/keystone-0.9.1# mkdir build ; cd build 

root @kali:~/programs/keystone-0.9.1/build# apt-get install time 
root@kali:~/programs/keystone-0.9.1/build# ../make-share.sh 
root@kali:~/programs/keystone-0.9.1/build# make install 

root @kali:~/programs/keystone-0.9.1/build# ldconfig 

root @kali:~/programs/keystone-0.9.1/build# tail -3 /root/.bashrc 

export PATH=SPATH:/root/programs/phantomjs-2.1.1-linux-x86_64/bin:/usr/local/bin/kstool 
export RUBYLIB=SRUBYLIB:~/programs/metasm 

export LD LIBRARY PATH-SLD LIBRARY. PATH:/usr/local/lib 
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#include <stdio.h> 
#include «keystone/keystone.h» 


#define DEFCON "push ерх, mov ерх, 0xb9; sub eax, ebx; pop ebx; sub eax, 0x55; sub eax, 
0x32; add eax, ecx; add eax, 0x50; add eax, 0x37; push edx; push ecx; mov ecx, 0x49; m 
ov edx, ecx; pop ecx; inc edx; add edx, 0x70; dec edx; add eax, edx; pop edx" 


int main(int argc, char **argv) | | 
{ instructions from the 


ks_engine *keyeng; riginal f 
ks_err keyerr = KS_ERR_ARCH; шэн al obsfuscated 


size_t count; 
unsigned char *encode; 
size_t size; 


keyerr = ks_open(KS_ARCH_X86, KS_MODE_32, &keyeng); Creating a keystone engine 
if (keyerr != KS_ERR_OK) í 

printf("ERROR: A fail occurred while calling ks open(), quit\n"); 

return -1; 


} 


if (ks_asm(keyeng, DEFCON, 0, &encode, &size, &count)) 
printf("ERROR: A fail has occured while calling ks_a$m() with count = %lu, erro 
r code = *uMn", count, ks errno(keyeng)); 
) else ( 
size t i; Assembling our instructions 
for (i = 0; i < size; i++) 4 using keystone engine. 
printf("%02x ", encode[i]); 


} 
} 
ks free(encode); Freeing memory 
ks close(keyeng); ! апд closing 
return 0; engine. 


} 
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root@kali:-/programs/defcon# 
root@kali:-/programs/defcon# more Makefile 
.PHONY: all clean 


KEYSTONE_LDFLAGS = -lkeystone -lstdc++ -lm 


all: 
${CC} -o defcon2019 defcon2019.c ${KEYSTONE_LDFLAGS} 


clean: 

rm -rf *.o defcon2019 
root@kali:-/programs/defcon# 
root@kali:~/programs/defcon# make 
cc -о defcon2019 defcon2019.c -lkeystone -lstdc++ -lm 
root@kali:~/programs/defcon# 
root@kali:~/programs/defcon# ./defcon2019 
53 bb b9 00 00 00 29 48 5b 83 e8 55 83 e8 32 01 c8 83 c0 50 83 cO 37 52 51 99 49 
00 00 00 89 ca 59 42 83 c2 70 4a 01 dO 5a root@kali:~/programs/defcon# 
root@kali:~/programs/defcon# 
root@kali:~/programs/defcon# ./defcon2019 | xxd -r -p - > defcon2019.bin 
root@kali:~/programs/defcon# 
root@kali:~/programs/defcon# hexdump -C defcon2019.bin 


00000000 53 bb 59 00 00 00 29 48 5b 83 e8 55 83 εδ 32 01 |S..... ).[..U..2.| 
00000010 c8 83 c0 50 83 сө 37 52 51 b9 49 00 00 00 89 ca |...P..7RQ.I..... | 
00000020 59 42 83 c2 70 4a 01 dO 58 YB. .pJ. .Z] 
00000029 


root@kali:~/programs/defcon# - 
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#include <stdio.h> 
#include <inttypes.h> 
#include <capstone/capstone.h> 


#define CODE "\x53\xbb\xb9\x00\x00\x00\x29\xd8\x5b\x83\xe8\x55\x83\xe8\x32\x01\xc 
8\x83\xcO\x50\x83\xcO\x37\x52\x51\xb9\x49\x00\x00\x00\x89\xca\x59\x42\x83\xc2\x70 
\x4a\x01\xd0\x5a" 


int main(void) 

( 
csh cs_handle; 
cs_insn *instruction; 
size_t count; 


if (cs_open(CS_ARCH_X86, CS_MODE_32, &cs_handle) != CS_ERR_OK) 
return -1; 
count = cs_disasm(cs_handle, CODE, sizeof(CODE)-1, 0x0001, 0, &instructio 
n); 
if (count > 0) í 
size_t j; 
for (j = 0; j < count; j++) í 
printf ("0x%"PRIx32":\t%s\t\t%s\n", instruction[j].address 
, instruction[j].mnemonic, instruction[j].op_ str); 


cs free(instruction, count); 
) else 
printf("Error: It's happened an error during the disassembling!^n 


"); 
cs close(&cs handle); 


return 0; 


) 
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root@kali:-/programs/defcon/capstone# more Makefile 
.PHONY: all clean 


CAPSTONE_LDFLAGS = -lcapstone -lstdc++ -lm 


all: 
$(CC) -о defcon2019 rev defcon2019 rev.c $(CAPSTONE LDFLAGS] 


clean: 

rm -rf *.o defcon2019 rev 
root@kali:~/programs/defcon/capstone# 
root@kali:~/programs/defcon/capstone# make 
ες -o defcon2019 rev defcon2019 rev.c -lcapstone -151йс++ -lm 
root@kali:~/programs/defcon/capstone# 
root@kali:~/programs/defcon/capstone# ./defcon2019 rev 


0x1: push ebx 

0x2: mov ерх, Oxb9 

0x7: sub eax, ebx 

0x9: pop ebx 

0xa: sub eax, 0x55 

0xd: sub eax, 0x32 

0x10: add eax, ecx 

0х12: add eax, 0x50 

8233-8827 —— Original code disassembled 
0x18: push edx 

0x19: push ecx by Capstone. © 
0х1а: mov ecx, 0x49 

Dx1f: mov edx, ecx 

0х21: pop ecx 

0x22: inc edx 

0х23: add edx, 0x70 

0x26: dec edx 

0х27: add eax, edx 

0x29: pop edx 


root@kali:~/programs/defcon/capstone# - 
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κ" ЫН» 
Segond : 
ΞΕΏΘΒΒ: 
eo BB: 
220000: 
Sa aB. 
12012128 
ον ο ος 
sp40868: 
260900: 
шри 
ΡΟ ΟΕ 8: 
зебо: 
ο ο ος 
sao aB: 
LI DE 
sen: 
Segue : 
сес: 
Е 
ΕΟΝ; 
Seguag : 
se088B: 
зэцӨН 
ΠΣ 
Е 
520990: 
Е 
segat: 
Senn 
SEOBE: 
zego: 
ον ος 
SEQEBB: 


D  3|—D 


шинэ 
ΠΒΒΒΒΕΒΕ 
ШЕ ЧЕ аВ 
DETEOCOG 
281211 211616) 
EJ 208 
ШЕШШ ш 
ΕΒΕΒΗΒΕΗΕ 
IB ШШ 
ΗΡΕΜΗ 


Format 
Base ñddress: 


ПОЗОВ — LI 


ο αν) 
09502868 
ЯВ B at 
ο 0) 
ΒΒΕΕΒΕΒΕ 
BBEOBEOR 
DODDSSDS 
@ БЕ Г 
шэнэ 
208887) 
Seve TA 
ШЕШШ Р 
8808 85718 
28122 = 
ШОО 0 01Ё 
mia 8820 
ШЕШШ А 
ВЕс 8 24 
26008825 
ш: 0 128 
НӨсО 234 


ШИНЕ сул 


: C:NUMsNdefcon2019.bin 
: Binary file 


0000h Range: 0000h - 0029h Loaded length: 0029h 


.686p 
. mmx 
.model flat 


segment byte public 'CODE' use32 
assume cs:seg000 ta 
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, 


push ebx g 
mou ерх, OB9h m 
sub eax, ebx а 
рор ерх < 
sub eax, 55h 

sub eax, 32h 

add eax, ecx = 
add eax, 50h ) 
add eax, 37h 2 
push edx IDA Pro confirms our 3 
push есх disassembly task. © ° 
mov ecx, 49h : 
шоу edx, есх 

рор есх 

inc edx 

add edx, 70h 

dec edx 

add eax, edx 

pop edx 

ends 


ν΄ Download uEmu from https://github.com/alexhude/ 


ν uEmu CPU Context IEE li r3 Χ uEmu 
: ν΄ Install Unicorn: pip install unicorn. 


v Load uEmu in IDA using ALT+F7 hot key. 


set up before 
running uEmu 


бх20: pop edx 


6x 66666669 edi: 6x66666006 
бх 000000060 ebp: 0x0000880800 
6x 86666666 esp: OxFFFFFFFC 
6x 80880889 eip: 6x66666628 


6x 66666666 sp: 8x8888FFFC 


онер 


cel | Search. This result confirms our previous 


Python 2.7.15 (u2.7.15:ca879a3ea3, Apr 38 2818, 16:22:17) [MSC 0.1506 32 bit (Inte1)] 
IDAPython v1.7.0 final (serial 8) (c) The IDAPython Team <idapython@googlegroups .com> 
[uEmu]: Init plugin 
[uEmu]: Run plugin 
[uEmu]: CPU arch set to [ x86 ] 

[uEmu]: Emulator is not active 

[uEmu]: Emulator is not active 

[uEmu]: Emulation started 

[uEmu]: Mapping segments... 

[uEmu]: * seg [8:29]| 

[uEnu]: map [8:FFF] -> [8:FFF] 

[uEmu]: сру [8:28] 

[uEmu]: * <H> Missing memory at 8üxfffffffc, data size = 4, data value = 8x8 
[uEmu] : map [FFFFFFFC:FFFFFFFF] -> [FFFFF888:FFFFFFFF] 

[uEmu]: Breakpoint reached at 8x28 : pop edx 


Python 
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#include <unicorn/unicorn.h> 
#include <string.h> 


1 
2 
3 
4 
5 
6 # 


// Our code to be emulated. 


2 "\x53\xbb\xb9\x00\x00\x00\x29\xd8\x5b\x83\xe8\x55\x83\xe8\x325 
}0\x83\xcO\x37\x52\x51\xb9\x49\x00\x00\x00\x89\xca\x59\x42\x83\ 5 


xc2\x70\x4a\x01\xd0\x5a" ° 
1 5 
8 // Emulation start address and a simple macro. © 
9 А 
10 #define ADDR 0x1000000 < 
11 £define MIN(x, y) (x < y? x : y) š 
12 3 
13 // Hook the instruction execution. 5 
14 | 4 
15 static void hook_code(uc_engine *uc, uint64 t address, uint32_t size, void *user 5 
data) т 
16 1 2 
17 int r еір; 2 
18 int r_eax; < 
19 int г ебх; 
20 int r_ecx; 
21 int r_edx; 
22 
23 uint8_t instr_size[16]; 
24 
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25 printf("NnTracing instruction at Өх5х , instruction size = Өх5хүп", addre 
ss, size); 


26 

27 uc_reg_read(uc, UC_X86_REG_EIP, &r_eip); 
28 uc reg read(uc, UC X86 REG EAX, &r_eax); 
29 uc reg read(uc, UC X86 REG EBX, &r ebx); 
30 uc reg read(uc, UC X86 REG ECX, &r ecx); 
31 uc reg read(uc, UC X86 REG EDX, &r edx); 
32 

33 // Print the initial values of registries. 

34 

35 printf("\n>> EIP-0x*x ", г eip); 

36 printf(" | EAX-0x*x ", г eax); 

37 printf(" | EBX-0x*x ", г ерх); 

38 printf(" | ECX-0x*x ", г ecx); 

39 printf(" | EDX-0x*x ", г едх); 

40 printf("\n>> Executed hex code: "); 

41 

42 size - MIN(sizeof(instr size), size); 

43 if (!uc mem read(uc, address, instr size, size)) ( 
22 uint32 t i; 

45 for (1-0: i<size; i++) í 

46 printf("%x ", instr size[i]); 
47 H 

48 printf('" An"); 

49 H 

50 ) 

51 

52 int main(int argc, char **argv, char **envp) 

53 ( 

54 
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55 // Declare and initialize few variables 


56 

57 uğ engine *uc; 

58 uc hook traceinstr; 
59 uc err err; 

60 


61 // Set up the initial registry values. 
62 // We have to set up the ESP register for emulating PUSH/POP instructions. 


63 

64 int r eax = 0x4; 

65 int r ebx - 0x0; 

66 int r_ecx = 0x7; 

67 int r edx = 0x0; 

68 int r esp = ADDR + 200000; 

69 

70 printf("\nInitial register values: in"); 
71 

72 printf("Nn>> EAX = *x ", r eax); 

73 printf("Nn>> EBX = %x ", г ебх); 

74 printf("\n>> ECX = *x ", r ecx); 

75 printf("\n>> EDX = 5х ", r edx); 

76 

ІІ printf("\n\nOur emulated code is: An"); 
78 

79 


80 // We are emulating a 32-bit application in x86 emulator, so initialize the emula 
tor in X86-32bit mode :) 
81 // If we wished to emulate in a x64 emulator, so we would use UC MODE 64. 


82 

83 err - uc open(UC ARCH X86, UC MODE 32, &uc); 

84 if (err !- UC ERR OK) 4 

85 printf("A fail to use uc open() has occured and the error returne 
d is: %uNn", err); 

86 return -1; 

87 } 
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89 // We are reserving 4МВ memory Тог this emulation. Additionally, UC_PROT_ALL mean 


s: RWX. 

90 

91 uc_mem_map(uc, ADDR, 4 * 1024 * 1024, UC_PROT_ALL); 

92 

93 // write machine code to be emulated to memory 

94 

95 11 (uc_mem_write(uc, ADDR, DEFCON_CODE, sizeof(DEFCON_CODE) - 1)) 4 

96 printf("It has happened a fail during the write emulation code to 
тетогу!\п"); 

97 return -1; 

98 ) 

99 

100 // We need to initialize the machine registers 

101 

102 uc reg write(uc, UC X86 REG EAX, &r eax); 

103 uc reg write(uc, UC X86 REG EBX, &r ebx); 

104 uc reg write(uc, UC X86 REG ECX, &r ecx); 

105 uc reg write(uc, UC X86 REG EDX, &r edx); 

106 uc reg write(uc, UC X86 REG ESP, &r esp); 

107 


108 // uc: hook handle ; traceinstr: reference to uc hook ; UC HOOK CODE: hook type ; 
hook code: callback function 


110 uc hook add(uc, &traceinstr, UC HOOK CODE, hook code, NULL, 1, 0); 
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112 


113 // Start the emulation engine and emulate code in infinite time (first zero 
below) & unlimited instructions (second zero below). 


114 
115 
116 
117 
118 


119 
120 ) 
121 


err=uc_emu_start(uc, ADDR, ADDR + sizeof(DEFCON_CODE) - 1, 0, 0); 


if (err) í 


printf("The uc_emu_start() function has failed with error r 
eturning 564: %5\п", err, uc strerror(err)); 


122 // Finally, print out the final registers values. 


123 
124 
Wn"); 
125 
126 
127 
128 
129 
130 
131 
132 
133 
134 
135 
136 
137 
138 ) 


printf("NnThe final CPU registers contain the following content: \n 


uc reg read(uc, 
uc reg read(uc, 
uc reg read(uc, 
uc reg read(uc, 


printf(">>> EAX = 


printf ("\n>>> 
printf ("\n>>> 
printf ("\n>>> 
uc close(uc); 


return 0; 


DEF CON CHINA 1.0 (2019) 


EBX 
ECX 
EDX 


UC X86 REG EAX, &r eax); 
UC X86 REG EBX, &r ebx); 
UC X86 REG ECX, &r ecx); 
UC X86 REG EDX, &r edx); 


0х5хХ", г eax); 
Ox%x", г ебх); 
Ox%x", г есх); 
Ox%x\n\n", г едх); 
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root@kali:~/programs/defcon/unicorn# ./unicorn_defcon 


Initial register values: 


>> EAX = 4 
>> EBX = 0 
>> ECX = 7 
>> EDX = 0 


Our emulated code is: 
Tracing instruction at 0x1000000 , instruction size = 0х1 


>> EIP=0x1000000 | EAX=0x4 | ЕВХ-0х0 | ЕСХ-0х7 | EDX=0x0 
>> Executed hex code: 53 


Tracing instruction at 0x1000001 , instruction size = 0x5 


>> EIP=0x1000001 | EAX=0x4 | ЕВХ-0х0 | ЕСХ-0х7 | EDX=0x0 
>> Executed hex code: bb b9 000 


Tracing instruction at 0x1000006 , instruction size = 0x2 


>> EIP=0x1000006 | EAX=0x4 | EBX=0xb9 | ЕСХ-0х7 | EDX=0x0 
>> Executed hex code: 29 d8 


Tracing instruction at 0x1000008 , instruction size = 0x1 


>> EIP-0x1000008 | EAX=0xffffff4b | EBX=0xb9 | ЕСХ-0х7 | EDX=0x0 


>> Executed hex code: 5b 
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Tracing instruction at 0x1000021 , instruction size = 0x1 


>> EIP=0x1000021 | EAX=0xffffff52 | ЕВХ-0х0 | ЕСХ-0х7 | EDX=0x49 
>> Executed hex code: 42 


Tracing instruction at 0x1000022 , instruction size = 0x3 


>> EIP=0x1000022 | EAX=0xffffff52 | ЕВХ=0х0 | ЕСХ-0х7 | EDX=0x4a 
>> Executed hex code: 83 c2 70 


Tracing instruction at 0x1000025 , instruction size = 0x1 


>> EIP=0x1000025 | EAX=0xffffff52 | ЕВХ-0х0 | ЕСХ-0х7 | EDX=0xba 
>> Executed hex code: 4a 


Tracing instruction at 0x1000026 , instruction size = 0x2 


>> EIP=0x1000026 | EAX=0xffffff52 | ЕВХ-0х0 | ЕСХ-0х7 | EDX=0xb9 
>> Executed hex code: 1 40 


Tracing instruction at 0x1000028 , instruction size = 0x1 


>> EIP=0x1000028 | EAX=0xb | ЕВХ-0х0 | ЕСХ-0х7 | EDX=0xb9 
>> Executed hex code: 5a 


The final CPU registers contain the following content: 


>>> EAX = 0xb 
>>> EBX = 0x0 
>>> ECX = 0x7 
>>> EDX = 0x0 
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YAHIYVASAY АЛЧПЭ35 ANV 38VAWTIVIN — 539808 3HONVX3TV 


MIASM 
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Y MIASM is one of most impressive framework for reverse engineering, which is able to 
analyze, generate and modify several different types of programs. 


Y MIASM supports assembling and disassembling programs from different platforms such 
as ARM, x86, MIPS and so on, and it also is able to emulate by using JIT. 


Y Therefore, MIASM is excellent to de-obfuscation. 
Y Installing MIASM: 


git clone https://github.com/serpilliere/elfesteem.git elfesteem 
cd elfesteem/ 

python setup.py build 

python setup.py install 

apt-get install clang texinfo texi2html 
apt-get remove libtcc-dev 

apt-get install llvm 

са.. 

git clone http://repo.or.cz/tinycc.git 
cd tinycc/ 

git checkout release_0_9_26 
./configure --disable-static 

make 


make install 
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< < < < < < Saam 


INFO : 
INFO : 
INFO : 
INFO : 
: func ok 0000000000001070 (0) 
: generate graph file 

: generate intervals 


INFO 
INFO 
INFO 


pip install llvmlite 

apt-get install z3 

apt-get install python-pycparser 
git clone https://github.com/cea-sec/miasm.git 
root@kali:~/programs/miasm# python setup.py build 
root@kali:~/programs/miasm# python setup.py install 
root@kali:~/programs/miasm/test# python test all.py 
apt-get install graphviz 
apt-get install xdot 
(testing MIASM) root@kali:~/programs# python /root/programs/miasm/example/disasm/ 
full.py -m x86. 32 /root/programs/shellcode 


Load binary 

ok 

import machine... 
ok 


[0x1070 0x10A2] 


INFO : 


total lines O 


v (testing MIASM) xdot graph. execflow.dot 
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graph_execflow.dot - Dot Viewer 


оа ааа а a 


080010780 XOR 
08001872 POP 

08001873 MOV X, ESP 
00001075 AND , ΘΧΕΕΕΕΕΕΕΘ 
08001078 PUSH 

08001879 PUSH ESP 

0800187A PUSH EDX 

0800107B CALL loc 10a2 


loc 16088 
00001080 EBX, 0x2F80 
00001086 , DWORD PTR [EBX + 8xFFFFD288] 
00001098C 
00001098D , DWORD PTR [EBX + 8xFFFFD228] 
00001093 PUSH 
00001094 PUSH ECX 
00001095 PUSH ESI 
00001096 PUSH DWORD PTR [EBX + 8xFFFFFFF8] 
00000109C CALL loc 18568 
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loc. 10а1 
000018A1 HLT 
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32 


from miasm2.analysis.binary import Container 
from miasm2.analysis.machine import Machine 
from miasm2.jitter.csts import PAGE READ, PAGE WRITE 


Opens our file. The Container provides 


with open("defcon2019.bin") as fdesc: _  —— — the byte source to the disasm engine. 
cont-Container.from stream(fdesc) 


Instantiates the assemble engine using 
machine-Machine('x86 32') — ” the x86 32-bits architecture. 
mdis-machine.dis engine(cont.bin stream) 
ourblocks = mdis.dis multiblock(0) RUE E Runs the recursive transversal 


for block in ourblocks: disassembling since beginning. 
print block 

jitter = machine.jitter("llvm") Set “Пут” as Jit engine to 

Játter-init.etack(). TU 40) emulation and initialize the 

S = open efcon .bin").rea 

πα τον 0x40000000 За һе virtual start 

jitter. cpu.EAX-3 > address, register values 


jitter. cpu.ECX=6 and memory protection. 
jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, s) 
def code sentinelle(jitter): 

jitter.run = False 

jitter.pc = 0 
: return _Irue Adds a breakpoint at 
Jitter. add_breakpoint(0x40000028, code_sentinelle)|—_ the iet lle a cod 
Jitter.push uint32 t(0x40000028) I 
Jitter.Jit.log_regs = True 
jitter.jit.log mn = True 
Jitter.init_run(run_addr) 
jitter.continue run() —— — — —— Run the emulation. 


open('defcon2019 cfg.dot', 'w').write(ourblocks.dot()) ————> Generates a dot graph. 
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root@kali:~/programs/defcon# python miasm.py 
WARNING: not enough bytes in str 

cannot disasm at 29 

WARNING: not enough bytes in str 

cannot disasm at 29 

loc 0000000000000000:0x00000000 


WARNING: 


WARNING: 


PUSH 
MOV 
SUB 
POP 
SUB 
SUB 
ADD 
ADD 
ADD 
PUSH 


-> 
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EBX 


0xB9 
EBX 


0x55 
0x32 
ECX 

0x50 
0x37 


0x49 
ECX 


0x70 


EDX 


Disassembling our code (again) @ 


c_next:loc_0000000000000029:0x00000029 
loc_0000000000000029:0x00000029 
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40000000 PUSH 


EAX 00000003 
ESP 0123FFF8 
40000001 MOV 
EAX 00000003 
ESP 0123FFF8 
40000006 SUB 
EAX FFFFFF4A 
ESP 0123FFF8 
40000008 POP 
EAX FFFFFF4A 
ESP 0123FFFC 
40000009 SUB 
EAX FFFFFEF5 
ESP 0123FFFC 
4000000C SUB 
EAX FFFFFEC3 
ESP 0123FFFC 


EAX FFFFFF50 
ESP 0123FFF8 
40000021 INC 
EAX FFFFFF50 
ESP 0123FFF8 
40000022 ADD 
EAX FFFFFF50 
ESP 0123FFF8 
40000025 DEC 
EAX FFFFFF50 
ESP 0123FFF8 
40000026 ADD 
EAX 00000009 
ESP 0123FFF8 


EBX 
EBP 


EBX 
ЕВР 


ЕВХ 
EBP 


EBX 
EBP 


EBX 
EBP 


EBX 
EBP 


EBX 
EBP 


EBX 
EBP 


EBX 
EBP 


EBX 
EBP 


EBX 
EBP 
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EBX 
00000000 ECX 
00000000 EIP 

EBX, ӨхВ9 
000000B9 ECX 
00000000 EIP 

EAX, EBX 
000000B9 ECX 
00000000 EIP 

EBX 
00000000 ECX 
00000000 EIP 

EAX, 0x55 
00000000 ECX 
00000000 EIP 

EAX, 0x32 
00000000 ECX 
00000000 EIP 


00000000 ECX 
00000000 EIP 
EDX 
00000000 ECX 
00000000 EIP 
EDX, 0x70 
00000000 ECX 
00000000 EIP 
EDX 
00000000 ECX 
00000000 EIP 
EAX, EDX 
00000000 ECX 
00000000 EIP 


00000006 
40000000 


00000006 
40000000 


00000006 
40000000 


00000006 
40000000 


00000006 
40000000 


00000006 
40000000 


00000006 
40000000 


00000006 
40000000 


00000006 
40000000 


00000006 
40000000 


00000006 
40000000 


EDX 00000000 
zf 0 nf 0 of 


EDX 00000000 
zf Ө nf Ө of 


EDX 00000000 
zf 0 nf 1 of 


EDX 00000000 
zf 0 nf 1 of 


EDX 00000000 
zf 0 nf 1 of 


EDX 00000000 
zf 0 nf 1 of 


EDX 00000049 
zf 0 nf 1 of 


EDX 0000004A 
zf 0 nf 0 of 


EDX 000000BA 
zf 0 nf 0 of 


EDX 000000B9 
zf 0 nf 0 of 


EDX 000000B9 
zf 0 nf 0 of 


ESI 00000000 
0 cf 0 


ESI 00000000 
0 cf 0 


ESI 00000000 
0 cf 1 


ESI 00000000 
0 cf 1 


ESI 00000000 
0 cf 0 


ESI 00000000 
0 cf 0 


ESI 00000000 
0 cf 0 


ESI 00000000 
0 cf 0 


ESI 00000000 
0 cf 0 


ESI 00000000 
0 cf 0 


ESI 00000000 
0 cf 1 


EDI 


EDI 


EDI 


EDI 


EDI 


EDI 


EDI 


EDI 


EDI 


EDI 


EDI 


00000000 


00000000 


00000000 


00000000 


00000000 


00000000 


00000000 


00000000 


00000000 


00000000 


00000000 
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loc_0000000000000000 


PUSH 
MOV 
SUB 
POP 


SUB 


OxB9 
EBX 


0x55 
0x32 
ECX 

0x50 
0x37 


loc_0000000000000029 


ТОЁГГОГ 


Our proposed code. 


@ 


ος 
ш 
I 
o 
ος 
< 
ш 
12) 
ш 
сс 
> 
ы 
ος 
2 
o 
ш 
ο 
Q 
= 
< 
ш 
сс 
< 
5 
< 
> 
| 
12) 
ш 
о 
ος 
О 
са 
ш 
ος 
o 
= 
< 
> 
ш 
= 
< 


root@kali:~/programs/defcon# python 
Python 2.7.16 (default, Apr 6 2019, 01:42:57) 
[GCC 8.3.0] on Linux2 


Type "help", "copyright", "credits" or "license" for more information. 


>>> from miasm2.analysis.binary import Container 

>>> from miasm2.analysis.machine import Machine 

>>> from miasm2.jitter.csts import PAGE READ, PAGE WRITE 

>>> with open("defcon2019.bin") as fdesc: 
cont-Container.from stream(fdesc) 


>>> defconmach-Machine('x86 32') 

>>> defcondis-defconmach.dis engine(cont.bin stream) 
>>> myblocks = defcondis.dis multiblock(0) 

WARNING: not enough bytes in str 

WARNING: cannot disasm at 29 

WARNING: not enough bytes in str  Getthe IRA converter. 


WARNING: cannot disasm at 29 

>>> sym = defconmach.ira( ) | 

>>> for block in myblocks: Initialize and run the 

Шон sym.add_block(block) Symbolic Execution Engine. 


[«miasm2.ir.ir.IRBlock object at 0x7f0fde22b870»] 

[] 

>>> from miasm2.ir.symbexec import SymbolicExecutionEngine 

>>> symb = SymbolicExecutionEngine(sym,defconmach.mn.regs.regs init) 
>>> symbolic pc = symb.run at(0, step-True) 
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>>> symbolic pc = symb.run at(0, step-True) 
Instr PUSH EBX 

Assignblk: 

ESP = ESP + -0x4 

@32[ESP + -0x4] = EBX 


ESP = ESP_init + 0xFFFFFFFC 
@32[ESP_init + OxFFFFFFFC] = EBX init 

Instr MOV EBX, 0хВ9 

Assignblk: 

EBX = 0xB9 

ESP = ESP_init + 0xFFFFFFFC 

EBX = 0xB9 

@32[ESP_init + 0OxFFFFFFFC] = EBX_init 

Instr SUB EAX, ЕВХ 

Assignblk: 

zf = (EAX + -EBX)?(0x0,0x1) 

nf = (EAX + -EBX)[31:32] 

pf = parity((EAX + -EBX) & 0xFF) 

of = ((EAX ^ (EAX + -ЕВХ)) & (EAX ^ EBX))[31:32] 
cf = (((EAX ^ EBX) ^ (EAX + -ЕВХ)) ^ ((EAX ^ (EAX + -EBX)) & (EAX ^ EBX)))[31:32 
] 

af = ((EAX ^ EBX) ^ (EAX + -EBX)) [4:5] 


EAX = EAX + -EBX 
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EAX EAX init + ECX init 

cf ((((EAX init + ECX init) ^ (EAX init + ECX init + OxFFFFFF4 
7)) & ((EAX init + ECX init + OxFFFFFF47) ^ OxFFFFFF46)) ^ (EAX init + ECX init) 
^ (EAX init + ΕΟΧ init + OxFFFFFF47) ^ 0xB9) [31:32] 


pf = parity((EAX init + ECX init) & OxFF) 

zf = (EAX init + ECX init)?(0x0,0x1) 

af = ((EAX init + ECX init) ^ (EAX init + ECX init + OxFFFFFF47) 
^ 0xB9) [4:5] 

of = (((EAX init + ECX init) ^ (EAX init + ECX init + OxFFFFFF47 


)) & ((EAX init + ECX- init + OxFFFFFF47) ^ OxFFFFFF46) ) [31:32] 
nf = (EAX_ init + ECX_init) [31:32] 

@32[ESP_init + OxFFFFFFF8] = ECX init 

832|Е5Р init + OxFFFFFFFC] = EDX init 


Instr POP EDX | 
Assignblk: The same conclusion from 
IRDst - loc 0000000000000029:0x00000029 our previous tests. © 


EAX = EAX init + ECX init 
cf z ( (((EAX init + ECX init) ^ (EAX init + ECX init + OxFFFFFF4 
7)) 8 ((ЕАХ init + ECX init + OxFFFFFF47) ^ OxFFFFFF46)) ^ (EAX init * ECX init) 
^ (EAX init + ΕΟΧ init + OxFFFFFF47) ^ 0xB9) [31:32] 


pf = parity((EAX init + ЕСХ init) & OxFF) 

zf = (EAX init + ECX init)?(0x0,0x1) 

af = ((EAX init + ΕΟΧ init) ^ (EAX init + ECX init + OxFFFFFF47) 
^ ΘΧΒΟ) [4:5] 

IRDst - 0x29 

of = (((EAX init + ΕΟΧ init) ^ (БАХ init + ECX init + OxFFFFFF47 


)) & ((EAX init + ΕΟΧ init + OxFFFFFF47) ^ OxFFFFFF46)) [31:32] 
nf = (ЕАХ init + ECX init)[31:32] 

832|Е5Р init + OxFFFFFFF8] = ECX init 

832[ESP init + OxFFFFFFFC] = EDX init 
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YAHIYVASAY АЛЧПЭ35 ANV 38VAWTIVIN — 539808 3HONVX3TV 


TRITON 
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ν΄ It can be downloaded from https://triton.quarkslab.com/ 
ν΄ Based on Intel Pin instrumentation tool: https://software.intel.com/en-us/ 
articles/pin-a-dynamic-binary-instrumentation-tool 


v Triton offers a C/C++/Python interface provides: 


v dynamic symbolic execution 

Y run time registry information and memory modification 

Y taint engine 

у 73 interface to handle contraints 

ν΄ snapshot engine (it is not necessary to restart the program every time, 
but only restores memory and register states) 

ν΄ access to Pin funtions 

Y symbolic fuzzing 

v gather code coverage 


v Supports x86 and x64 architecture. 
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v Triton supports: 
v symbolic execution mode: 


ν΄ emulates instruction effects. 
v allows us to emulate only part of the program (excellent for 
analyzing branches). 


У concolic execution mode: 
Y allows us to analyze the program only from start. 


У Taint analysis is amazing because we are able to using in fuzzing tasks to 
know what registers and memory address are "affected" by the user data 
input. & 


ν΄ During Virtual Machine's decoding, it is interesting to distinguish which 
instructions are related to user input and which are not. © 
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** Installing Triton without Pin (Ubuntu 19): 


ν΄ apt-get install libboost-all-dev 


ν΄ apt-get install libpython-dev 

У apt-get install libcapstone-dev 

v Take care: DO NOT install libz3-dev. If this package is already 
installed, so remove it. 

Y git clone https://github.com/Z3Prover/z3 

У cdz3/ 

Y python scripts/mk make.py 

У cd build/ 

ν΄ make 

ν΄ make install 

ν΄ git clone https://github.com/JonathanSalwan/Triton.git 

ν΄ cd Triton/ 

У mkdir build 

У cd build/ 

v cmake.. 

ν΄ make -j install (my recommendation: 8 GB RAM + 8 GB swapfile) 
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ν΄ Installing Triton with Pin (Ubuntu 19): 


Y Install the same packages from last slide. 

Y Install Z3 as shown in the last slide. 

ν΄ wget https://software.intel.com/sites/landingpage/pintool/ 
downloads/pin-2.14-71313-gcc.4.4.7-linux.tar.gz 


ν΄ tar zxvf pin-2.14-71313-gcc.4.4.7-linux.tar.gz 

Y cd pin-2.14-71313-gcc.4.4.7-linux/source/tools 

Y git clone https://github.com/JonathanSalwan/Triton.git 

ν΄ са Triton/ 

У mkdir build 

ν΄ cd build 

ν΄ cmake -DPINTOOL=on -DKERNEL4=on .. 

ν΄ make 

У са. 

Y ./build/triton ./src/examples/pin/ir.py /usr/bin/host (only to test the 
installation). 
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1 #!/usr/bin/env pyt[jon2 

2 ## -*- coding: utf-8 -*- 

3 ## 

4 

5 from future — import print function 

6 from triton import TritonContext, ARCH, Instruction, MemoryAccess, CPUSI 
ZE, OPERAND, REG 

7 

8 import sys 

9 

10 £ We define the code to be handled and symbolic executed 

11 

12 mycode - | 

13 

14 (0x400000, b"\x53"), # push ерх 

15 (0х400001, b"\xbb\xb9\x00\x00\x00"), 8 mov ерх, 0хВ9 

16 (0x400006, b"\x29\xd8"), # sub eax, ерх 

17 (0х400008, b"\x5b"), 8 рор ерх 

18 (0x400009, b"\x83\xe8\x55"), # sub еах, 0х55 

19 (0x40000c, b"\x83\xe8\x32"), # sub eax, 0x32 

20 (9x40000f, b"\x01\xc8"), # add eax, ecx 

21 (0х400011, b"Nx83Nxc0Nx50"), 8 add еах, 0х50 

22 (0х400014, b"\x83\xc0\x37"), 8 add еах, 0х37 

23 (0x400017, b"\x52"), # push edx 

24 (0х400018, b"\x51"), 8 push ecx 

25 (0x400019, b"Xxb9Xx49Xx00X x00 x00") , 8 mov ecx, 0x49 

26 (0x40001e, b"\x89\xca"), 8 mov edx, ecx 

27 (0x400020, b"\x59"), 8 pop ecx 

28 (0x400021, b"\x42"), # inc edx 

29 (0x400022, b"\x83\xc2\x76"), 8 add edx, 0x70 

30 (0x400025, b"\x4a"), 8 dec edx 

31 (0x400026, БЬ"\хө1\хаө"), # add eax, edx 

32 (0x400028, b"\x5a"), 8 pop edx 

33 (0x400029, b" VxffNxe0"), # jmp eax 

34 

35 ] 
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38 if _ name__ == '_ main ': 

39 

40 #Set the context for Triton functions 

41 context = TritonContext() 

42 

43 # Set the architecture. In our case, we are using x86 32-bit 

44 context.setArchitecture(ARCH.X86) 

45 

46 for (addr, opcode) in mycode: 

47 # Build an instruction object. 

48 instruction = Instruction() 

49 

50 # Setup the opcode 

51 instruction. setOpcode(opcode) 

52 

53 # Setup start address 

54 instruction. setAddress (addr) 

55 

56 # Process our code 

57 context.processing(instruction) 

58 

59 print('---------------------------------------- 2 

60 print('The current IP: ', instruction) 

61 pc = context.getRegisterAst(context.registers.eip).evaluate() 

62 print ('The next IP is: ', hex(pc)) 

63 ргїпї('---------------------------------------- \n\n') 

64 

65 # Display each instruction, determine the operation type and show opcode in 
formation 

66 print('>>> 555755 instruction) 

67 

68 print('\n ----------------------------- ') 

69 print(' Is a memory read? ', instruction.isMemoryRead()) 

70 print(' Is a memory write? :', instruction.isMemoryWrite()) 

71 print(' --------------------------- An!) 
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for op entry in instruction.getOperands(): 


print(' %s' % (op_entry)) 

if op_entry.getType() == OPERAND.MEM: 
print(' segment :', op_entry.getSegmentRegister()) 
print(' base : *s' 5 (op_entry.getBaseRegister())) 
print(' index : %s' % (op_entry.getIndexRegister())) 
print(' disp : %s' % (op_entry.getDisplacement())) 
print(' scale : %s' % (op_entry.getScale())) 


print('') 


# Display each one of the symbolic expressions 
for expression in instruction.getSymbolicExpressions(): 
print('Nt', expression) 


print() 


print() 

print('Registers information') 

ргїпї('**жжжжжжжжжжжжжжжжжжжжжжжжжжжжж ' ) 

for К, v in list(context.getSymbolicRegisters().items()): 
print(context.getRegister(k), v) 


print() 
print('Summary Memory information') 
ргїпї('*жжжжжжжжжжжжжжжжжжжжжжжжжж* ' ) 


Тог К, v in list(context.getSymbolicMemory().items()): 
print(hex(k), v) 


print() 


sys.exit(0) 
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root@kali:~# rasm2 -a x86 -b 32 "push ерх" 

53 

root@kali:~# rasm2 -a x86 -b 32 "mov ерх, O0xb9" 
bbb9000000 

root@kali:~# rasm2 -a x86 -b 32 "sub eax, ebx 
2948 

root@kali:~# rasm2 -a x86 -b 32 "pop ebx 
5b 

root@kali:~# rasm2 -a x86 -b 32 "sub eax, 0x55" 
B3e855 

root@kali:~# rasm2 -a x86 -b 32 “sub eax, 0x32" 
B3e832 

root@kali:~# rasm2 -a x86 -b 32 “add eax, ecx 
0918 

root@kali:~# rasm2 -a x86 -b 32 "add eax, 0x50" 
83c050 


root@kali:~# rasm2 -a x86 -b 32 "add eax, 0x37" Jur : 
83c037 This is an educational way to show how 


ere rasm2 -a x86 -b 32 "push edx" to find the hexadecimal representation 


root@kali:~# rasm2 -a x86 -b 32 "push есх" for each instruction. 

51 

root@kali:~# rasm2 -a x86 -b 32 "mov ecx, 0x49" 

2925009580 However, there аге much rw 
root@kali:~# rasm2 -a x86 -b 32 "mov edx, есх" š Е е Е die e Het bette aya 
89са to do it by opening the binary on ЇРА 
root@kali:-# rasm2 -a x86 -b 32 "pop ecx" : А 

dedi: ua Pro, Radare2, Ghidra or even using 
root@kali:-# rasm2 -a x86 -b 32 "inc edx" distorm3 

42 d 

root@kali:~# rasm2 -a x86 -b 32 "add edx, 0x70" 

83c270 

root@kali:~# rasm2 -a x86 -b 32 "dec edx" 

За 

root@kali:~# rasm2 -а x86 -b 32 "add eax, edx" 

01d0 

root@kali:~# rasm2 -a x86 -b 32 "pop edx" 

5a 

root@kali:~# rasm2 -a x86 -b 32 "jmp eax 
ffed 
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root@ubuntu19:-/pin214/source/tools/Triton/src/examples/python# python defcon sym.py | more 
The current IP: 0x400000: push ebx 
The next IP is: 0x400001 


Is a memory read? 
Is a memory write? 


ebx:32 bv[31..0] 


(define-fun ref!O () ( BitVec 32) (bvsub ( bv0 32) ( bv4 32))) ; Stack alig 
nment 

(define-fun ref!1 () ( BitVec 8) ((_ extract 31 24) ( bv0 32))) ; Byte refer 
ence - PUSH operation 

(define-fun ref!2 () ( BitVec 8) ((_ extract 23 16) ( bv0 32))) ; Byte refer 
ence - PUSH operation 

(define-fun ref!3 () ( BitVec 8) ((_ extract 15 8) ( bv0 32))) ; Byte refere 
nce - PUSH operation 

(define-fun ref!4 () ( BitVec 8) ((_ extract 7 0) ( bv0 32))) ; Byte referen 
ce - PUSH operation 

(define-fun ref!5 () ( BitVec 32) (concat |(( extract 31 24) ( bv0 32)) ((. 
extract 23 16) ( bv0 32)) (( extract 15 8) ( bv0]|32)) (( extract 7 Ө) ( bv0 32)))) 

; Temporary concatenation reference - PUSH operation 
(define-fun гет!6 () ( BitVec 32) ( bv4194305 32)) ; Program Counter 


шилээ жилээ эл NUR E MOM mu а инни нен byte by byte & 
The current IP: 0x400001: mov ebx, Oxb9 


The next IP is: 0x400006 
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>>> 0x400001: mov ebx, Oxb9 


Is a memory read? 
Is a memory write? 


ebx:32 bv[31..0] 
0xb9:32 bv[31..0] Oxb9 == 185 @ 


(define-fun ref!7 () ( BitVec 32) (_ bv185 32)) ; MOV operation 
(define-fun re#!8 () ( BitVec 32) ( bv4194310 32)) ; Program Counter 


The current IP: 0x400006: sub eax, ebx 
The next IP is: 90х400008 


>>> 0x400006: sub eax, 


Is a memory read? 
Is a memory write? 


eax:32 bv[31..0] 
ebx:32 bv[31..0] 


(define-fun ref!9 () ( BitVec 32) (bvsub ( bv0 32) ref!7)) ; SUB operation 

(define-fun гет!10 () ( BitVec 1) (ite (= ( bv16 32) (bvand ( bv16 32) (bvxor ref!9 (bvxor ( bv0 32) 
ref!7)))) (_ bv11) ( bv0 1))) ; Adjust flag 

(define-fun ref!11 () ( BitVec 1) (( extract 31 31) (bvxor (bvxor ( bv0 32) (bvxor ref!7 ref!9)) (bvan 
d (bvxor ( bv0 32) ref!9) (bvxor ( bv0 32) ref!7))))) ; Carry flag 

(define-fun ref!12 () ( BitVec 1) (( extract 31 31) (bvand (bvxor ( bv0 32) ref!7) (bvxor ( bv0 32) r 
ef!9)))) ; Overflow flag 

(define-fun ref!13 () ( BitVec 1) (bvxor (bvxor (bvxor (bvxor (bvxor (bvxor (bvxor (bvxor ( bv1 1) ((_ 
extract Ө Ө) (bvlshr (( extract 7 0) ref!9) ( bv0 8)))) ((_ extract Ө 0) (bvlshr (( extract 7 0) ref!9) ( bvl 
8)))) ((. extract Ө Ө) (bvlshr (( extract 7 0) ref!9) ( bv2 8)))) ((_ extract Ө Ө) (bvlshr (( extract 7 0) ref! 
9) ( bv3 8)))) ((_ extract Ө 0) (bvlshr (( extract 7 0) ref!9) ( bv4 8)))) ((_ extract 0 Ө) (bvlshr (( extract 
7 0) ref!9) ( bv5 8)))) ((_ extract 0 0) (bvlshr (( extract 7 0) ref!9) ( bv6 8)))) ((_ extract 0 0) (bvlshr ( 
( extract 7 Ө) ref!9) ( bv7 8))))) ; Parity flag 

(define-fun ref!14 () ( BitVec 1) (( extract 31 31) ref!9)) ; Sign flag 

(define-fun ref!15 () ( BitVec 1) (ite (= ref!9 ( bv0 32)) ( bvl 1) ( bv0 1))) ; Zero flag 

(define-fun ref!16 () ( BitVec 32) ( bv4194312 32)) ; Program Counter 
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Registers information 
жжжжжжжжжжжжжжжжжжжжжжжжжжжжжжж 
esp:32 bv[31..0] (define-fun ref!112 () (_ BitVec 32) (bvadd ref!79 ( bv4 32))) ; Stack align 
ment 
cf:1 bv[0..0] (define-fun ref!105 () ( BitVec 1) (( extract 31 31) (bvxor (bvand ref!52 ref! 
96) (bvand (bvxor (bvx 
or ref!52 ref!96) ref!103) (bvxor ref!52 ref!96))))) ; Carry flag 
eip:32 bv[31..0] (define-fun ref!114 () ( BitVec 32) ref!103) ; Program Counter 
of:1 bv[0..0] (define-fun ref!106 () ( BitVec 1) (( extract 31 31) (bvand (bvxor ref!52 (bvn 
ot ref!96)) (bvxor ref 
152 ref!103)))) ; Overflow flag 
eax:32 bv[31..0] (define-fun ref!103 () ( BitVec 32) (bvadd ref!52 ref!96)) ; ADD operation 
51:1 bv[0..0] (define-fun ref!108 () ( BitVec 1) (( extract 31 31) ref!103)) ; Sign flag 
ebx:32 bv[31..0] (define-fun ref!17 () ( BitVec 32) (concat ref!1 ref!2 ref!3 ref!4)) ; POP o 
peration 
zf:1 bv[0..0] (define-fun ref!109 () ( BitVec 1) (ite (= ref!103 ( bv0 32)) ( bvl 1) ( bvO 
1))) ; Zero flag 
ecx:32 bv[31..0] (define-fun ref!78 () ( BitVec 32) (concat ref!68 ref!69 ref!70 ref!71)) ; P 
OP operation 
af:1 bv[0..0] (define-fun ref!104 () ( BitVec 1) (ite (= ( bv16 32) (bvand ( bv16 32) (bvxo 
r ref!103 (bvxor ref!5 
2 ref!96)))) ( bv1 1) ( bv0 1))) ; Adjust flag 
edx:32 bv[31..0] (define-fun ref!111 () ( BitVec 32) (concat ref!61 ref!62 ref!63 ref!64)) ; 
POP operation 
pf:1 bv[0..0] (define-fun ref!107 () ( BitVec 1) (bvxor (bvxor (bvxor (bvxor (bvxor (bvxor (b 
vxor (bvxor ( bv1 1) 
((_ extract 0 0) (bvlshr (( extract 7 0) ref!103) ( bv0 8)))) ((_ extract 0 0) (bvlshr (( e 
xtract 7 0) ref!103) ( 
_ bv1 8)))) ((_ extract 0 0) (bvlshr (( extract 7 0) ref!103) ( bv2 8)))) ((_ extract 0 0) ( 
bvlshr (( extract 7 0 
) гет!103) ( bv3 8)))) ((_ extract 0 0) (bvlshr (( extract 7 0) ref!103) ( bv4 8)))) (( ex 
tract 0 0) (bvlshr ((_ 
extract 7 0) ref!103) ( bv5 8)))) ((_ extract 0 0) (bvlshr (( extract 7 0) ref!103) ( bv6 
8)))) ((_ extract 0 0) 
(bvlshr 4 extract 7 0) ref!103) ( bv7 8))))) ; Parity flag 
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from __future__ import print function 
import TritonContext, ARCH, Instruction, MODE 


10 £Define the code to be emulated 


В"ХХЭЗ", 
b"\xbb\xb9\x00\x00\x60", 
b"\x29\xd8", 

b"\x5b", 
b"\x83\xe8\x55", 
b"\x83\xe8\x32", 
b"\x01\xc8", 
b"\x83\xc0\x50", 
b"\x83\xc0\x37", 

ο χα”, 

b"\x51", 
b"\xb9\x49\x00\x00\x60", 
b"\x89\xca", 

b"\x59", 

Ba \x42" 
b"\x83\xc2\x70", 
b"\x4a", 

b"\x01\xd0", 

b"\x5a", 

b"\xff\xed", 


1 #!/usr/bin/env python2 
2 -*- coding: utf-8 -*- 
3 ## 

4 

5 

6 from triton 

7 

8 import sys 

9 

11 

12 mycode = { 

13 

14 0x400000: 
15 0x400001: 
16 0x400006: 
17 0x400008: 
18 0x400009: 
19 0x40000c: 
20 0x40000f : 
21 0x400011: 
22 0x400014: 
23 0x400017: 
24 0x400018: 
25 0x400019: 
26 θχάθθθΊε: 
22 0х400020: 
28 0х400021: 
29 0x400022: 
30 0x400025: 
31 0x400026: 
32 0x400028: 
33 0x400029: 
34 ) 

35 


$k t tk tk tk tk tk tk tk tk tk tk tk tk t t t t t t 


push ebx 


mov 
sub 
pop 
sub 
sub 
add 
add 
add 


push edx 
push ecx 


mov 
mov 
pon 
inc 
add 
dec 
add 
pos 
jmp 


ebx, 
eax, 
ebx 

eax, 
eax, 
eax, 
eax, 
eax, 


ecx, 
edx, 
ecx 
edx 
edx, 
edx 
eax, 
edx 
eax 


0xB9 
ebx 


0x55 
0x32 
ecx 

0x50 
0x37 


0x49 
ecx 


0x70 


edx 


36 £Define the context object to be applied the Triton functions 
37 context = TritonContext() 


38 
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40 # This function emulates the code. 
41 def defcon(pc): 


42 while pc in mycode: 

43 # Build ап instruction 

44 instruction = Instruction() 

45 

46 # Setup the opcode 

47 instruction.setOpcode(mycode[pc]) 

48 

49 # Setup start address 

50 instruction.setAddress(pc) 

51 

52 8 Process the opcodes 

53 context.processing(instruction) 

54 

55 # Display the instruction 

56 print('Curr pc:', instruction) 

57 

58 # Set the IP to next instruction and update the some registers 
59 pc = context.getRegisterAst(context.registers.eip).evaluate() 
60 eax = context.getRegisterAst(context.registers.eax).evaluate() 
61 ebx = context.getRegisterAst(context.registers.ebx).evaluate() 
62 ecx = context.getRegisterAst(context.registers.ecx).evaluate() 
63 edx = context.getRegisterAst(context.registers.edx).evaluate() 
64 print('Next pc: ', hex(pc)) 

65 print('Next eax:', hex(eax)) 

66 print('Next ebx:', hex(ebx)) 

67 print('Next ecx:', hex(ecx)) 

68 print('Next edx:', hex(edx)) 

69 print() 

79 return 
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72 # This function initializes the context memory. EAX and ЕСХ was randomly chosen. 


73 def startCtx(): 


74 context.setConcreteRegisterValue(context.registers.esp, 0x7fffffff) 
75 context.setConcreteRegisterValue(context.registers.ebp, Ox7fffffff) 
76 context.setConcreteRegisterValue(context.registers.eax, 0x2) 

77 context.setConcreteRegisterValue(context.registers.ebx, 0x0) 

78 context.setConcreteRegisterValue(context.registers.ecx, 0x7) 

79 context.setConcreteRegisterValue(context.registers.edx, 0x0) 

80 return 

81 

82 if _ пате == ' main ': 

83 # Set the architecture. In our case, we have chosen x86 32-bit. 
84 context.setArchitecture(ARCH.X86) 

85 

86 # Align the memory 

87 context.enableMode(MODE.ALIGNED MEMORY, True) 

88 

89 # Define the entry point address 

90 entrypoint = 0x400000 

91 

92 # Set the memory context 

93 startCtx() 

94 

95 # Run the emulation 

96 defcon(entrypoint) 

97 

98 sys.exit(9) 

99 
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root@ubuntu19:-/pin214/source/tools/Triton/src/examples/python# python defcon_sym_2.py 


Curr 
Next 
Next 
Next 
Next 
Next 


Curr 
Next 
Next 
Next 
Next 
Next 


Curr 
Next 
Next 
Next 
Next 
Next 


Curr 
Next 
Next 
Next 
Next 
Next 


Curr 
Next 
Next 
Next 
Next 
Next 


ip: 0x400000: push ebx 
ip: 0x400001 

eax: 0х2 

ерх: 0x0 

ecx: 0x7 

edx: 0x0 


ip: 0x400001: mov ebx, 0xb9 
ip: 0x400006 

eax: 0x2 

ерх: 0xb9 

ecx: 0x7 

edx: 0x0 


ip: 0x400006: sub eax, ebx 
ip: 0x400008 

eax: Oxffffff49 

ebx: 0xb9 

ecx: 0x7 

edx: 0x0 


ip: 0x400028: pop edx 
ip: 0x400029 

eax: 0x9 

ebx: 0x0 

ecx: 0x7 

edx: 0x0 


ip: 0x400029: jmp eax 
ip: 0x9 

eax: 0x9 

ebx: 0x0 

ecx: 0x7 

edx: 0x0 
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RADARE2 + MIASM 
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root@kali:~/programs/defcon# r2 =b 32 defcon2019.bin 

-- EIP = 0x41414141 

[0x00000000]» aaa 

[x] Analyze all flags starting with sym. and entryO (aa) 

[x] Analyze function calls (aac) 

[x] Analyze len bytes of instructions for references (aar) 

[x] Use -AA or aaaa to perform additional experimental analysis. 
[x] Constructing a function name for fcn.* and sym.func.* functions (aan) 
10х000000001» ec comment green 

Нэгэ 441- 

[9x00000000]> pdf 


(fcn) fcn.00000000 41 ESIL comment 
fcn.00000000 (); 

0x00000000 53 push ebx ; esp=0xfffffffffffffffc 

0x00000001 bbb9 mov ерх, Oxb9 ; 185 ; ebx=0xb9 

0x00000006 29d8 sub eax, ebx ; eaxzOxffffffffffffff47 ; of=0x0 ; sf 
=0х1 -> Oxb9bb ; zf=0x0 ; р?=0х1 -> Oxb9bb ; cf=0x1 -> Oxb9bb 

0x00000008 5b pop ebx ; ebx-Oxffffffff ; esp=0x100000000 

0x00000009 83e855 sub eax, 0x55 ; 'U' ; eax=Oxfffffef2 ; of=0x0 ; sf=0 
х1 -> Oxb9bb ; 21-0х0 ; pf=0x0 ; cf=0x0 

0x0000000c 83e832 sub eax, 0x32 ; '2' ; eax=OxfffffecO ; of=0x0 ; sf=0 
xl -> Oxb9bb ; zfz0x0 ; pf=0xl -> Oxb9bb ; cf=0x0 
| 0x0000000f 01c8 add eax, ecx ; eax-OxfffffecO ; of=0x0 ; 51-0х1 -> 
Oxb9bb ; zf-0x0 ; cfz0xO ; pf=0xl -> Oxb9bb 

0x00000011 83c050 add eax, 0x50 ; 'P' ; eax-OxfffffflO ; о01-0х0 ; sf=0 
х1 -> Oxb9bb ; 21-0х0 ; cf=0x0 ; pf=0x0 

0x00000014 83c037 add eax, 0x37 ; '7' | eax-0xffffff47 ; of=0x0 ; sf=0 
Xl -» Oxb9bb ; 21-0х0 ; cf=0x0 ; pf=0x1 -> Oxb9bb 

0x00000017 52 push edx ; esp-Oxfffffffffffffffc 

0x00000018 51 push ecx ; esp-Oxfffffff8 

0x00000019 b949 mov ecx, 0x49 ; 'I' ; 73 ; ecx=0x49 

0x0000001e 89ca mov edx, ecx ; edx=0x49 

0x00000020 59 pop ecx ; ecx-Oxffffffff ; esp-Oxfffffffc 

0x00000021 42 inc edx ; edx-0x4a ; 01-0х0 ; sf-0x0 ; zf-0x0 
; рТ-0х9 
| 0x00000022 83c270 add edx, 0x70 ; 'p'; edx=Oxba ; 01-0х0 ; 51-0х0 , 2 
f20x0 ; cf=0x0 ; pf=0x0 
| 0x00000025 4a dec edx ; edx=0xb9 ; ofz0x0 ; sf=0x0 ; zf=0x0 
; pfz0x0 
| 0x00000026 01d0 add eax, edx ; eax-0x100000000 ; of-0x0 ; 51-0х0 ; 
211-0х1 -> Oxb9bb ; cf=0x1 -> Oxb9bb ; pf=0x1 -> Oxb9bb 
L 0x00000028 5a pop edx ; edx-Oxffffffff ; esp-0x100000000 
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[0x00000000]» aer eax=0x7 
[0x00000000]» aer есх=0х2 
[0x00000000]» 8 io cache = true 
[0x00000000]» аеѕ 

[0x00000000]» laer 


oeax 
eax 
ebx 
ecx 
edx 
esi 
edi 
esp 
ebp 
eip = 


eflags 


0x00000000 
0x00000007 
0x00000000 
0x00000002 
0x00000000 
0x00000000 
0x00000000 
Oxfffffffc 
0x00000000 
0x00000001 
- 0x00000000 
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Y aer: handle ESIL registers (set and show) 


v aes: perform emulated debugger step 


ν΄ gecu: continue until address 


[0х00000000 1 e asm.emu-true 
10x000000001> aecu 0x00000028 
[0x00000000 ]> aer 
0x00000000 


oeax = 
eax 
ebx 
ecx 
edx 
esi 
edi 
esp 
ebp 
eip = 
eflags = 


0x00000009 
0x00000000 
0x00000002 
0x000000b9 
0x00000000 
0x00000000 
Oxfffffffc 
0x00000000 
0x00000028 


0x00000005 
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R2M2 bridges the гаааге2 and miasm2 communities: гадаге2 being the graphical interface of 
miasm2, and miasm2 simplifying the implementation of new architectures. 


How to install it? 


У apt-get install docker 

git clone https://github.com/radare/radare2.git 

cd radare2/ 

sys/install.sh 

Install MIASM 

pip install cffi 

pip install jinja2 

docker pull guedou/r2m2 

docker run --rm -it -e 'R2M2_ARCH=x86_32' guedou/r2m2 bash 


© М ΟΝ ΝΣ, 


Y [r2m2@fd5662d151e4 715 pwd 


ν΄ (another terminal) docker ps -a 
ν΄ (another terminal) docker cp /root/defcon2019.bin fd5662d151e4:/home/r2m2/ 
defcon2019.bin 


ν΄ [r2m2@fd5662d151e4 ^]$ export R2M2_ARCH=x86_ 32 
v [r2m2@fd5662d151e4 “15 r2 -A -b 32 -a r2m2 defcon2019.bin 
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[r2m2@fd5662d151e4 -]$ r2 -A -b 32 -a r2m2 defcon2019.bin 


[/home/r2m2/miasm/miasm/expression/expression.py:924: UserWarning: 
warnings.warn('DEPRECATION WARNING: use exprmem.ptr instead of e 


[x] Analyze all flags starting with sym. and ΘΠΤΓΥΘ (aa) 

[x] Analyze function calls (aac) 

[x] find and analyze function preludes (аар) 

[x] Analyze len bytes of instructions for references (aar) 
[x] Check for objc references 

[х1 Check for vtables 

[x] Finding xrefs in noncode section with anal.in = 'io.maps 
[x] Analyze value pointers (aav) 

[х1 Value from 0x00000000 to 0x00000029 (aav) 

[x] 0x00000000-0x00000029 in 0x0-0x29 (aav) 

[Warning: No SN reg alias for current architecture. 

[x] Emulate code to find computed references (aae) 

[WARNING: r reg get: assertion 'reg && name' failed (line 279) 
[x] Type matching analysis for all functions (aaft) 

[x] Use -AA or aaaa to perform additional experimental analysis. 
-- Warning, your trial license is about to expire. 
[0x00000000]» 

[0x00000000]» ec comment yellow 

[0x00000000]» 

[0x00000000]» e asm.emu-true 

[0x00000000]» 

[0x00000000]» pd 20 
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(10132 t arg 4h); 
; arg int32 t arg 4h @ esp+0x4 
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41 


PUSH EBX 
MOV EBX, 
SUB EAX, EBX 
POP EBX 
SUB EAX, 
SUB EAX, 
ADD EAX, ECX 
ADD EAX, 
ADD EAX, 
PUSH EDX 
PUSH ECX 
MOV ECX, 
MOV EDX, ECX 
POP ECX 
INC EDX 
ADD EDX, 
DEC EDX 
ADD EAX, EDX 
POP EDX 


/'\ buffer too long /!\ 
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DIRACE on WINDOWS 
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v DTrace is a dynamic tracing framework, which is very efficient and famous on 
Solaris operating system. 


Y Dtrace was initially written by Mike Shapiro, Adam Leventhal and Brian Cantrill at 
Sun Microsystems. Although they were developing DTrace since 2003, it was only 
introduced in Solaris 10 03/05. 


V Itis used to get a real time overview of a system in user and kernel mode. 
Furthermore, it can be used to understand how application and systems are 
behaving. 


v Few months ago, DTrace was ported to Windows: https://github.com/ 
opendtrace/opendtrace/tree/windows 


ν΄ DTrace is could be summarized as a set of probes (sensors) scattered over the key 
point in th kernel. Thus, every time that a probe is "activated", it is possible to 
register and understand the application behavior. 


Y Using DTrace makes easier to trace the profile of a process and the system, find 
which system calls are "called", how many bytes are written/read by a process, 
file opened by a process, tracing the sequence of called system calls and so on. 
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v DTrace scripts are written in D language (similar to awk). 

V Probe names are described by the following syntaxe: 
provider:module:function:name 

where: 


Y provider: library of probes used to instrument an area of the system. On 
Windows, the existing providers are syscall, etw, profile, pid and dtrace. 


У module: kernel module where we find the probe. 

v function: function contaning the probe. 

Y name: specific name or description of the target probe. 
У Key concepts: 

ν΄ predicates: user defined conditions. 

v actions: tasks that are run when a probe fires. 


У aggregations: coalesce data using aggregation functions. 
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у То install DTrace: 
ν΄ Windows 10 x64 (build 18342 or later) from Windows Insider Program. 
ν΄ bcdedit.exe /set dtrace on 


ν΄ Download DTrace package: http://download.microsoft.com/download/B/ 
D/4/BD4B95A5-0B61-4D8F-837C-F889AAD8DAA2/DTrace.amd64.msi 


v _NT_SYMBOL_PATH=srv*C:\symbols*https://msdl.microsoft.com/ 
download/symbols 


У Reboot the system. 


ν΄ Open a command prompt as administrator. 


ν΄ |f you are using fbt (function boundary tracing), so it is necessary to attach 


the WinDbg and boot the Windows in debug mode. © 
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C:\Users\Administrator>dtrace -1 | more 


ID 


© осо чс uU! ο Uu мн 


MN ON ON H HH ык pH HH ы 
M HP @ i 0 чс uU b UN P 


PROVIDER 


dtrace 

dtrace 

dtrace 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
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MODULE 


FUNCTION 


NtLockProductActivationKeys 
NtLockProductActivationKeys 
NtWaitHighEventPair 
NtWaitHighEventPair 
NtRegisterThreadTerminatePort 
NtRegisterThreadTerminatePort 
NtAssociateWaitCompletionPacket 
NtAssociateWaitCompletionPacket 
NtQueryPerformanceCounter 
NtQueryPerformanceCounter 
NtCompactKeys 

NtCompactKeys 
NtQuerySystemInformationEx 
NtQuerySystemInformationEx 
NtResetEvent 

NtResetEvent 

NtGetContextThread 
NtGetContextThread 
NtQueryInformationThread 


NAME 
BEGIN 
END 
ERROR 
entry 
return 
entry 
return 
entry 
return 
entry 
return 
entry 
return 
entry 
return 
entry 
return 
entry 
return 
entry 
return 
entry 
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C:\>dtrace -V 
dtrace: Sun D 1.13 


C:N>dtrace -1 | grep -v "syscall" | grep -v "etw" 


ID PROVIDER MODULE FUNCTION NAME 

1 dtrace BEGIN 

2 dtrace END 

3 dtrace ERROR 
2997 profile profile-97 
2998 profile profile-199 
2999 profile profile-499 
3000 profile profile-997 
3001 profile profile-1999 
3002 profile profile-4001 
3003 profile profile-4999 
3004 profile tick-1 
3005 profile tick-10 
3006 profile tick-100 
3007 profile tick-500 
3008 profile tick-1000 
3009 profile tick-5000 
3044 profile tick-5sec 
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C:\>dtrace -1п "syscall::*Read*:entry" 


10 PROVIDER 
зө syscall 
140 syscall 
170 syscall 
234 зузса11 
608 syscall 
614 syscall 


MODULE FUNCTION NAME 
NtReadOnlyEnlistment entry 
NtReadRequestData entry 
NtWorkerFactoryWorkerReady entry 
NtReadFileScatter entry 
NtReadVirtualMemory entry 
NtReadFile entry 


C:\>dtrace -ln "syscall::*Write*:entry" 


ID 


PROVIDER 


syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
syscall 


MODULE FUNCTION NAME 
NtWriteFile entry 
NtGetWriteWatch entry 
NtFlushProcessWriteBuffers entry 
NtWriteVirtualMemory entry 
NtFlushWriteBuffer entry 
NtWriteRequestData entry 
NtWriteFileGather entry 
NtResetWriteWatch entry 


C:\>dtrace -1n "syscall::*View*:entry" 


ID 
516 
518 
638 
704 
878 
918 


PROVIDER 


syscall 
syscall 
syscall 
syscall 
syscall 
syscall 
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MODULE FUNCTION NAME 
NtUnmapViewOfSectionEx entry 
NtMapViewOfSection entry 
NtA1pcCreateSectionView entry 
NtA1pcDeleteSectionView entry 
NtUnmapViewOfSection entry 
NtMapViewOfSectionEx entry 
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C:\>dtrace -Fn "syscall:::entry /execname==\"notepad.exe\"/ 
dtrace: description 'syscall:::entry ' matched 464 probes 


NtCreateFile 
NtQueryAttributesFile 
NtQueryInformationFile 
NtQueryValueKey 

NtWriteFile 

NtEnumerateKey 
NtQueryInformationToken 
NtSetInformationFile 
NtSetInformationProcess 
NtSetTimer2 
NtWaitForWorkViaWorkerFactory 
NtTraceEvent 

NtClearEvent 

NtOpenKeyEx 

NtOpenEvent 

NtQueryKey 
NtAssociateWaitCompletionPacket 12 
NtSetInformationThread 16 
NtAlpcSendWaitReceivePort зе 
NtOpenFile 135 
NtQueryDirectoryFileEx 135 
NtClose 138 
NtQueryInformationProcess 138 
NtCallbackReturn 616 


1 
1 
1 
1 
1 
2 
2 
2 
2 
2 
2 
4 
6 
6 
7 
e 


pa 
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C:\>dtrace -n "syscall:::entry 1 @num[pid,execname] = count(); )" 
dtrace: description 'syscall:::entry ' matched 464 probes 


5492 RuntimeBroker. 1 
Ө DismHost.exe 2 

@ VSSVC.exe 2 

Ө svchost.exe 2 
8376 smartscreen.ex 3 
1248 TrustedInstall 6 
1544 svchost.exe 6 
9269 wimserv.exe 6 
3584 vmtoolsd.exe 7 
8000 vmtoolsd.exe 11 
7560 cmd.exe 14 
1380 svchost.exe 15 
1568 RuntimeBroker. 29 
4144 svchost.exe 20 
3564 vmms.exe 24 
9408 WinRAR.exe 27 
4528 vmcompute.exe 30 
480 svchost.exe 46 
1988  svchost.exe 89 
3184 svchost.exe 98 


1152 ctfmon.exe 108 
4844 wuauclt.exe 126 
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C:\>dtrace -Fn "ЕїсК-55ес { exit(0);) syscall:::entry ( @num[probefunc] = count(); )" | tail -2e 
dtrace: description 'tick-5sec ' matched 465 probes 


NtCreateFile 773 
NtReleaseMutant 860 
NtQueryVirtualMemory 878 
NtSetInformationKey 1994 
NtSetInformationFile 1152 
NtEnumerateKey 1235 
NtOpenThreadToken 1286 
NtCreateKey 1295 
NtEnumerateValueKey 1312 
NtQueryInformationFile 1953 
NtWriteFile 2476 
NtQuerySecurityObject 2669 
NtQueryValueKey 3089 
NtWaitForSingleObject 3380 
NtQueryDirectoryFileEx 4225 
NtOpenFile 4237 
NtQueryInformationToken 6111 
NtOpenKeyEx 7470 
NtClose 14041 
NtQueryKey 15949 


ν΄ |t is possible to use a different type of provider named “fbt” (function boundary 
tracing), which tracks the sequence of system calls being executed through the 
NTFS in the kernel. 


Y The “fbt” provider only it is available when there is kernel debugger attached to 
the Windows 10. 
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C:\>dtrace -Fn "tick-5sec 4 exit(0);) syscall:::entry /ехеспате == \"chr 
ome.exe\"/ 1 @num[probefunc] = count(); )" | tail -25 
dtrace: description 'tick-5sec ' matched 465 probes 


NtDeviceloControlFile 32 
NtDuplicateObject 40 
NtFreeVirtualMemory 50 
NtAllocateVirtualMemory 56 
NtQueryInformationThread 75 
NtFindAtom 163 
NtSetTimerResolution 187 
NtQuerySystemInformation 202 
NtCreateEvent 328 
NtClose 381 
NtQueryInformationProcess 396 
NtClearEvent 428 
NtAlertThreadByThreadId 604 
NtWaitForAlertByThreadId 604 
NtSetIoCompletionEx 684 
NtAssociateWaitCompletionPacket 1020 
NtSetIoCompletion 1050 
NtDelayExecution 1215 
NtFlushProcessWriteBuffers 1335 
NtRemoveloCompletionEx 1702 
NtReadFile 2175 
NtWriteFile 2242 
NtSetEvent 2824 
NtWaitForSingleObject 4319 


NtRemoveloCompletion 8600 
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C:\>dtrace -n "profile-997hz 4 @[pid, execname] = count( ); )" 


dtrace: description 'profile-997hz 


д 
440 
872 

1028 
1136 
1368 
1400 
1532 
1652 
1728 
2176 
2512 
2528 
2672 
3756 
5004 
5828 
6192 
6276 
6784 
7944 
8312 
9084 
10052 


audiodg.exe 
smss.exe 
fontdrvhost.ex 
wlrmdr.exe 
svchost.exe 
svchost.exe 
svchost.exe 
svchost.exe 
svchost.exe 
userinit.exe 
svchost.exe 
RuntimeBroker. 
svchost.exe 
svchost.exe 
dasHost.exe 
svchost.exe 
RuntimeBroker. 
svchost.exe 
svchost.exe 
SkypeBackgroun 
SecurityHealth 
MicrosoftEdgeS 
svchost.exe 
svchost.exe 
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FA Fa Fa Fa Fa FA FA FA Fa Fa [52 ka ka Fa Fa Fa Fa Fa Fa Fa ы Fa a ыз 
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C:\>dtrace -Fn "fbt:ntfs::/execname==N"WinRAR.exeN"/()" | more 
dtrace: description 'fbt:ntfs::' matched 7752 probes 
CPU FUNCTION 
-» NtfsFsdDispatchWait 
-» memset 
«- memset 
-» NtfsFsdDispatchSwitch 
-» NtfsInitializeTopLevelIrp 
<- NtfsInitializeTopLevelIrp 
-» memset 
«- memset 
-» NtfsInitializeIrpContextInternal 
NtfsInitializeIrpContextInternal 
-» NtfsUpdateIrpContextWithTopLevel 
<- NtfsUpdateIrpContextWithTopLevel 
-» NtfsPreRequestProcessingExtend 
<- NtfsPreRequestProcessingExtend 
-» NtfsCommonQueryInformation 
-» NtfsAcquireExclusiveFcb 
<- NtfsAcquireExclusiveFcb 
-» TxfSetupTransactionContextFromCcb 
<- TxfSetupTransactionContextFromCcb 
-» NtfsQueryNameInfo 


оооооооооооооооооооо 
^ 
' 
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Your Windows Insider Build ran into a problem and needs to 


restart. We're just collecting some error info, and then you 
can restart. 


100% complete 


For more information about this issue and possible 


fixes, visit https://www.windows.com/stopcode 


If you call a support person, give them this info: 
Stop code: DRIVER IRQL NOT LESS OR EQUAI 


What failed: traceext.sys 


ἘΞ 
Last event: Break instruction exception - code 80000003 
Sun Apr 28 22:00:04.067 2019 (UTC - 7:00) 


ка» k 
Child-SP 


fffffd8d' 
fffffd8d' 
fffffd8d' 
fffffd8d' 
fffffd8d' 
fffffd8d' 
fffffd8d' 
fffffd8d' 
fffffd8d' 
fffffd8d' 
fffffd8d' 


000000ac 


с02а0198 
с02а01а0 
с02а02е0 
с02а0478 
с02а0480 
с02а0540 
с02а0760 
с02а0930 
с02а0980 
c02a09e0 
c02a0a40 


“bc7£b918 


kd> .lastevent 


debugger time: 


RetAddr 


fffff802' 
fffff802' 
fffff802' 
fffff803' 
fffff803' 
fffff803' 
fffff802' 
fffff802' 
fffff802' 
fffff802' 
00007ҒҒ9 ` 
00000000” 


1: kd» lmv m traceext 


start 
fffff802'217b6000 fffff802'217d1000 
Loaded symbol image file: 
Image path: traceext.sys 


end 


21fe5469 
21fel7ab5 
217b8ele 
01e932bf 
01e95e2c 
01e972d8 
217b76cd 
217c16cc 
22694944 
21fe534d 
2edfc164 
00000000 


Call Site 

nt!KeBugCheckEx 
nt!KiBugCheckDispatch-0x69 

nt! KiPageFault+0x465 

traceext! StpGetArgVal+0xe 
DTrace!dtrace dif variable+0xle7 
DTrace!dtrace dif emulate+0x754 
DTrace!dtrace probe+0x478 
traceext!dtrace probe+0x29 
traceext! StpCallbackEntry+0x7c 
nt!KiTrackSystemCallEntry+0xd4 
nt!KiSystemServiceExitPico+0x238 
0x00007ff9'2edfc164 


(first/second chance not available) 


module name 


traceext. 


(pdb symbols) 
sys 


Image name: 


traceext.sys 


Image was built with /Brepro flag. 

Timestamp: 

CheckSum: 

ImageSize: 

Translations: 

Information from resource tables: 
kd> x /D traceext!s* 
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'217b8e10 
“217с1770 
“217с1880 
“217с1710 
`217b8e50 
`217c17c0 
`217c1970 
`217c1650 
`217b9146 
`217c16e0 


414AF89D (This is a reproducible build file hash, 
00016962 

0001B000 

0000.04b0 0000.04e4 0409.04b0 0409.04e4 


not a timestamp) 


traceext!StpGetArgVal (void) 

traceext!StpDisable (void) 

traceext!StpProvide (void) 

traceext!StpEnable (void) 

traceext!StpGetContext (void) 
traceext!StpGetArgType (void) 
traceext!StpDestroy (void) 
traceext!StpCallbackEntry («no parameter info») 
traceext!strcmp («no parameter info») 
traceext!StpCallbackReturn («no parameter info») 
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1: kd» uf fffff802`217b8e10 
traceext!StpGetArgVal: 
fffff802'217b8elO0 488b542428 
fffff802'217b8el5 488542 
fffff802'217b8e18 742a 


traceext! StpGetArgVal+0xa: 
fffff802'217b8ela 4983e0fe 
fffff802`217b8ele 410fb74008 
fffff802`217b8e23 443bc8 
fffff802`217b8e26 741с 


traceext! StpGetArgVal+0x18: 
fffff802'217b8e28 8b4210 
fffff802'217b8e2b 443bc8 
fffff802'217b8e2e 740с 


traceext! StpGetArgVal+0x20: 
fffff802`217b8e30 488b4208 


traceext! StpGetArgVal+0x24: 
fffff802`217b8e34 4963с9 movsxd 
fffff802`217b8e37 488b04c8 mov 
fffff802'217b8e3b c3 ret 


traceext! StpGetArgVal+0x2c: 
fffff802'217b8e3c 442bc8 
fffff802'217b8e3f 488002 
fffff802'217b8e42 ebfO 


traceext! StpGetArgVal+0x34: 
fffff802`217b8e44 33c0 xor 
fffff802`217b8e46 c3 ret 
1: kd> vertarget 


rdx,qword ptr [rsp+28h] 
rdx,rdx 
traceext! StpGetArgVal+0x34 (fffff802'217b8e44) 


r8,0FFFFFFFFFFFFFFFEh 

eax,word ptr [r8+8] 

r9d,eax 

traceext!StpGetArgVal+0x34 (fffff802'217b8e44) 


eax,dword ptr [rdx+10h] 
r9d,eax 
traceext!StpGetArgVal+0x2c (fffff802'217b8e3c) 


rax,qword ptr [rdx+8] 


rcx,r9d 
rax,qword ptr [гах+гсх*8] 


r9d,eax 
rax,qword ptr [rdx] 
traceext! StpGetArgVal+0x24 (fffff802`217b8e34) 


indows 10 Kernel Version 18362 MP (2 procs) Free x64 
Product: WinNt, suite: TerminalServer SingleUserTS 
Built by: 18362.1.amd64fre.19hl release.190318-1202 


achine Name: 


Branch 


Branch 


Branch 


Branch 
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Kernel base = Oxfffff802'21e17000 PsLoadedModuleList = Oxfffff802'2225a290 
Debug session time: Sun Apr 28 19:11:07.480 2019 (UTC - 7:00) 
System Uptime: 0 days 2:40:06.813 
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ANTI-VM 
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ν΄ Itis extremely easy writing malware samples using ап -УМ techniques designed 


ν΄ 
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to detect VMWare (checking I/O port communication), VirtualBox, Parallels, 
SeaBlOS emulator, QEMU emulator, Bochs emulator, QEMU emulator, Hyper-V, 
Innotek VirtualBox, sandboxes (Cuckoo). 


Furthermore, there are dozens of techniques that could be used for detection 
Vmware sandboxes: 


Y Examing the registry (OpenSubKey( ) function) to try to find entries related 
to tools installed in the guest 
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VirtualMachine\Guest\Para 
meters). 


Y Using WMI to query the Win32 BIOS management class to interact with 
attributes from the physical machine. 


We have already know every single anti-VM technique around the world and all 
of them are documented. 


Most current techniques use WMI and it is quick to write a C# program using 
them. 
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ausing System; 
| using System.Management ; 


Enamespace Test VM 


{ 
cu 

| 4 
ΕΙ ' : 
1 


) 
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class Program 


static void Main(string[] args) 


ManagementClass bioscClass - 
new ManagementClass("Win32 BIOS"); 
ManagementObjectCollection biosc - 
bioscClass.GetInstances(); 
ManagementObjectCollection.ManagementObjectEnumerator 
bioscEnumerator - 
biosc.GetEnumerator(); 
while (bioscEnumerator.MoveNext()) 


( 
' ManagementObject biosc1 = 
(ManagementObject)bioscEnumerator.Current; 
Console.WriteLine( 
“Attributes: \n\n" + "Version:\t " + biosci["version"].ToString( )); 
Console.WriteLine( 
“SerialNumber: \t " + biosc1["SerialNumber"].ToString()); 
Console.WriteLine( 
“OperatingSystem:\t " + biosci["TargetOperatingSystem" ].ToString()); 
Console.WriteLine( 
“Manufacturer: \t " + biosci["Manufacturer"].ToString()); 
} 


//return 0;| 
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ν΄ The code from last slide does not have any news: 


Y The ManagementClass class represents a Common Information Model 
(CIM) management class. 

у Win32 BIOS WMI class represents the attributes of BIOS and members of 
this class enable you to access WMI data using a specific WMI class path. 


Y Getlnstances( ) acquires a collection of all instances of the class. 
ν΄ GetEnumerator( ) returns the enumerator (IEnumerator) for the collection. 
v |Enumerator.Current( ) returns the same object. 
Y |Enumerator.MoveNext( ) advances the enumerator to the next element of 
the collection. 
[1 Physical host: [1 Guest virtual machine: 
C:\> Test VM.exe E:\> Test VM.exe 
Attributes: Attributes: 
Version: DELL - 6222004 Version: LENOVO - 6040000 
SerialNumber: 0596551 SerialNumber: VMware-56 4d 8d c3 a7 c7 
OperatingSystem: 0 e5 2b-39 d6 cc 93 bf 90 28 2d 
Manufacturer: Dell Inc. OperatingSystem: 0 
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namespace TestVM 3 
í 
= class Program 
( 
= static void Main(string[] args) 
( 

ManagementClass tempClass = 

new ManagementClass("Win32 TemperatureProbe"); 

ManagementObjectCollection tempinstance = 

tempClass.GetInstances() ; 

E foreach (ManagementObject aborges in tempinstance) 

{ 

string buffer = aborges.GetPropertyValue("CurrentReading").ToString( ); 
> { 
Console.WriteLine("Temperature:\t" + buffer); 

| } 
| } 
| } 
| } 
b 


c:\Users\Administrador\source\repos\TestVM_3\TestVM_3\bin\Debug>TestVM_3.exe 


Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object. 
at TestVM_3.Program.Main(String[] args) in c:\users\administrador\source\repos\TestVM_3\TestVM_3\Program.cs:line 16 
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Connect Windows Management Instrumentation Tester 


Namespace 


[root \cimv2 


Connection: 


i : IWbemServices 
Using: |IWbemLocator (Namespaces) : - 


Enum Classes... Enum Instances... | Open Namespace... Edit Context... 


Retuming: | WbemServices 


Create Class... ate Instance... Ee Create Refresher. 


Credentials Open Class Open Instance. 


User 


Delete Class... Delete Instance.. Execute Method 


Password 
Method Invocation Options 


Authority (^ Asynchronous Enable All Privileges 


(^ Synchronous Use Amended Qualifiers 
How to interpret empty password 


(* Semisynchronous Direct Access on Read Operations 


f NULL (^ Blank { | 
| | Use NextAsync (enum. only) 


Impersonation level Authentication level 10 Batch Count (enum. only) 5000 Timeout (msec., -1 for infinite) 
Identify (^ None (e 


т "n ~ 
impersonate Connection ! 


Delegate ^ Call 


Query Query Result 
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E WGL: select * from Win iperatureProb: 
Enter Query WGL: sele Win32_Temperature e 


1objects| max.batch: 1 Done 


Γ᾽ Retrieve class prototype 
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Object editor Тог Win32_TemperatureProbe.DevicelD="root\\cimv2 0 


M_BOOLEAN TRUE 
M_SINT32 1033 (0х409) 
3 CIMWin32 
ΙΑΕΑΈΕΔΒΠ.ΩΑΕΕ.1147.ΔΔ 


» 
Edit Qualifier Delete Qualifier 


| Hide System Properties | Local Only 


м 


References 


СІМ UINT32 «πω» 
СЇМ. BOOLEAN «null 


Win32 TemperatureProbe 


^ БЭ 
550000 


Сэ Сэ Сэ СЭ 
IO IO о 


q 
ü! 
m 
о 


Refresh Object 


— - \ cD - 
Description N CPU Intemal Temperature 
r^, r^, ` - ^ 

dmt or mm 1 ) ` s b ——À n 


v 


» Update type 


ff ОЧ 
Delete Property Create only 


Update only 


Either 
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Busing System; 
using System.Management; 


Enamespace TestVM 3 


κ 
B. public class Program 
lE 
B : public static void Main(string[] args) 
тн 
| | |  ManagementClass tempClass = 
' new ManagementClass("Win32 TemperatureProbe"); 
| 2. ManagementObjectCollection tempinstance = tempClass.GetInstances(); 
B | | foreach (ManagementObject aborges in tempinstance) 
| 0 
| re Чу 
m: | | | if (!string.IsNullOrwhiteSpace(aborges.GetPropertyValue("Status").ToString())) 
ээ. ( 
| | string buffer = aborges.GetPropertyValue("Status").ToString(); 
| | | Console.WriteLine("\nStatus: " + buffer + " Thus, the program is running in a physical host!"); 
NT E ) 
| | | | catch (NullReferenceException e) 
гэг 
| : | | | Console.WriteLine("\nSomething Wrong Happened!", e); 
Ποπ 
ΤΙ 
] Console.WriteLine("This program IS RUNNING in a virtual machine!"); 
ME M 
|] 
} 
> @ [26] {System.Management.PropertyData} object {System.Management.PropertyData} 
“ο [27] {System.Management.PropertyData} object {System.Management.PropertyData} 
AF IsArray false bool 
Ф IsLocal true bool 
# Name "Status" Q ~ string 
Ж Origin “СЇМ ManagedSystemElement" Q ~ string 
> É Qualifiers {System.Management.QualifierDataCollection} System.Management.QualifierDataCollection 
^ Туре String System.Management.CimType 
Ж Value "OK" Q ~ object {string} 


> € Non-Public membe 
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ан. ας 
ΟΙ: select “from V 


Y There is not support for acquiring 
temperature data in virtual machines. 


Y Therefore, malwares are able to know 
whether they are running on virtual machines 
or not. @ 


Name Value Type 
Ge System.Management.Manag {System.Management.ManagementObjectCollection.Manageme System.Management.ManagementObjectCollection.ManagementObjt 
b € tempClass {\\WIN81\ROOT\cimv2:Win32_TemperatureProbe} System.Management.ManagementClass 
4 @ tempinstance {System.Management.ManagementObjectCollection} System.Management.ManagementObjectCollection 
Ж Count 0 int 
Jf IsSynchronized false bool 
b Ж SyncRoot {System.Management.ManagementObjectCollection} object {System.Management.ManagementObjectCollection} 


> Фу Static members 
> @ Non-Public members 


Dx “9 Results View | Expanding the Results View will enumerate the IEnumerable 

ни | 2 ы 

у Physical Host: ν΄ Virtual Machine: 

CA» VM Test2.exe C:\> VM Test2.exe 

Status: OK Thus, the program is This program IS RUNNING in a virtual machine! 


running in a physical host! 
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О FEW CONCLUSIONS: 
Y Before trying to unpack modern protectors, it is really necessary to 
understand the common anti-reversing techniques. 


У MIASM, METASM and TRITON are amazing tools to handle and 
deobfuscate complex codes. 


ν΄ Emulation is an possible alternative to understand small and 
complicated piece of codes. 


ν΄ DTrace has done an excellent job on Solaris and it may be an excellent 
tool on Windows operating system. Stay tuned. & 


ν΄ Although excellent researches have found sophisticated anti-vm 
techniques, many other simples and smart ones exist. Take care. 
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